Controlling user actions and access to electronic data assets

ABSTRACT

A computer system is disclosed that provides purpose-based control of user actions and access to electronic data assets. For example, the computer system may perform operations including: receiving, from a user, a request to perform an action; determining any checkpoint config objects associated with the action; displaying checkpoint dialog based on checkpoint config object; determining whether criteria associated with the checkpoint object are satisfied; and in response to determining that the criteria associated with the checkpoint object are satisfied: generating a checkpoint record object; and proceeding to perform the action.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims benefit of U.S. Provisional Patent Application No. 63/201,958, filed May 20, 2021, and titled “CONTROLLING USER ACTIONS AND ACCESS TO ELECTRONIC DATA ASSETS.” The entire disclosure of each of the above items is hereby made part of this specification as if set forth fully herein and incorporated by reference for all purposes, for all that it contains.

Any and all applications for which a foreign or domestic priority claim is identified in the Application Data Sheet as filed with the present application are hereby incorporated by reference under 37 CFR 1.57 for all purposes and for all that they contain.

TECHNICAL FIELD

Embodiments of the present disclosure relate to systems and techniques for controlling user actions and access to electronic data assets. More specifically, the present disclosure includes controlling user actions and access, for example by managing and auditing actions and access, related to electronic data assets based on purpose-based access controls.

BACKGROUND

A background is provided for introductory purposes and to aid the reader in understanding the detailed description. The background should not be taken as an admission of any prior art to the claims.

Some computer systems limit access to electronic data assets by requiring authentication credentials, such as a username and password. Some computer systems also impose authorization restrictions that specify which user or groups of users can read, write, or modify an electronic data asset.

However, these computer systems can be insufficient for protecting and auditing user actions and access to electronic data assets. Furthermore, the use of authentication credentials and authorization restrictions, without more, can be inefficient and take large amounts of time, data, and memory to administer, especially when making large scale changes. Authentication credentials and authorization restrictions may also be insufficient for protecting private or confidential electronic data assets.

SUMMARY

The systems, methods, and devices described herein each have several aspects, no single one of which is solely responsible for its desirable attributes. Without limiting the scope of this disclosure, several non-limiting features will now be described briefly.

In general, access to data assets allowing user actions may be managed by assigning authentication credentials (e.g., usernames and passwords) to users. Computer administrators may further impose authorization restrictions specifying which users or groups of users can perform certain actions, or read, write, or modify a data asset. There may not be easy methods of propagating large scale changes to the restrictions—to change these, an administrator may have to manually change each permission of each data asset and/or user. It can be difficult to track or report why users are performing actions and/or accessing authorized data assets. It can also be difficult to track or ensure that users are qualified to perform actions and/or access authorized data assets.

Embodiments of the present disclosure include computer systems for purpose-based control of user actions and access to data assets, going beyond simple authentication of users, where the purpose-based actions and access is configured such that data governance may be pushed to the forefront. The systems may provide structure to previously unstructured governance metadata using data objects (also referred to herein simply as “objects”). Advantageously, through the use of objects, governance may be integrated into an action and access control framework such that analyst users cannot perform actions or access data without proceeding though a well-defined process that, e.g.: (1) improves data owners' visibility into actions that are being performed, how data is being used, and how processing of the data may impact data subjects, (2) aids in accountability by providing well-defined roles and capturing metadata that is useful for audit, (3) enables revoking of permissions and time bounds on permissions, among other advantages. Unlike systems that implement only authentication and authorization, the systems described herein can log why authenticated and authorized users are performing actions and accessing data assets, and ensure that users are authorized to perform actions and/or access the data assets for a selected purpose, among other advantages. This can be accomplished, for example, by capturing a contextual history of actions and data access requests directly in objects associated with the actions and requests.

A computer system or software framework is provided for providing checkpoints on user actions. Such checkpoints may comprise controls, preventing users from taking certain actions before providing, e.g., a justification for taking the action. The checkpoints may be configurable, and may be used for many types of user actions, including, for example, as downloading or exporting data, uploading or importing data, duplicating data, accessing data, elevating permissions, logging in, accepting end-user license agreements (“EULAs”), and/or the like. The checkpoints may be configured with various parameters and criteria, including frequency criteria, and may include a workflow for approval by a second user.

A computer system or software framework is also provided for purpose-based control of user actions and data permissioning within an organization. The system's action control and data permissioning is based on a user's selected purpose, in addition to authentication and authorization. An organization may establish purposes associated with action and/or access to data assets (e.g., datasets, folders, and/or the like).

The system may include at least three roles for users interacting with the system: (1) purpose sponsor user, who may be the responsible risk owner, and who may approve purpose access requests and creates data access requests; (2) data asset owner user, who may be responsible for one or more data assets, and who may review data access requests for the data assets that they own; and (3) analyst user, who may create purpose access requests with clear justifications for the requests, and who may then access and analyze data. Purpose sponsor users and data asset owner users may each have the ability to assign delegates or administrators for acting on their behalf for various types of requests. Further, according to various embodiments, the system may include the additional role of a governance administrator user, who may be responsible for establishing organization-wide policies regarding data usage and monitoring that these policies are properly implemented by the organization. In some embodiments, the roles of governance administrator user and purpose sponsor user may overlap partially or fully, or a single one of these roles may fulfill the responsibilities of both.

The system may include an object model and generate objects associated with various user interacting with the system in various roles, e.g.: analyst user objects, purpose sponsor objects, and data asset owner objects. The system may further include generating objects associated with purposes and data assets: purpose objects and data asset objects. The system may further include generating objects associated with access requests: purpose access request objects that link an analyst user to a purpose, and data access request objects that link data assets to a purpose. The system may further include generating objects associated with checkpoints: checkpoint config objects and checkpoint record objects. The various objects can store metadata associated with various aspects of the purpose-based data access, which may advantageously enable investigation and auditing. By using the object model, various users can more easily make and propagate large scale changes to the system as compared to, for example, individual editing of user's permissions or tracking access in spreadsheets.

Further, according to various embodiments, various interactive graphical user interfaces are provided for allowing various types of users interact with the systems and methods described herein to, for example, generate, review, and/or modify purpose objects, purpose access request objects, data access request objects, checkpoint config object, checkpoint record objects, and/or the like.

The interactive and dynamic user interfaces described herein are enabled by innovations in efficient interactions between the user interfaces and underlying systems and components. For example, disclosed herein are improved methods of receiving user inputs, translation and delivery of those inputs to various system components, automatic and dynamic execution of complex processes in response to the input delivery, automatic interaction among various components and processes of the system, and automatic and dynamic updating of the user interfaces. The interactions and presentation of data via the interactive user interfaces described herein may accordingly provide cognitive and ergonomic efficiencies and advantages over previous systems.

Various embodiments of the present disclosure provide improvements to various technologies and technological fields. For example, as described above, existing data storage and processing technology (including, e.g., in memory databases) is limited in various ways (e.g., manual data review is slow, costly, and less detailed; data is too voluminous; etc.), and various embodiments of the disclosure provide significant improvements over such technology. Additionally, various embodiments of the present disclosure are inextricably tied to computer technology. In particular, various embodiments rely on detection of user inputs via graphical user interfaces, calculation of updates to displayed electronic data based on those user inputs, automatic processing of related electronic data, and presentation of the updates to displayed information via interactive graphical user interfaces. Such features and others (e.g., processing and analysis of large amounts of electronic data) are intimately tied to, and enabled by, computer technology, and would not exist except for computer technology. For example, the interactions with displayed data described below in reference to various embodiments cannot reasonably be performed by humans alone, without the computer technology upon which they are implemented. Further, the implementation of the various embodiments of the present disclosure via computer technology enables many of the advantages described herein, including more efficient interaction with, and presentation of, various types of electronic data.

Various combinations of the above and below recited features, embodiments, and aspects are also disclosed and contemplated by the present disclosure.

Additional embodiments of the disclosure are described below in reference to the appended claims, which may serve as an additional summary of the disclosure.

In various embodiments, systems and/or computer systems are disclosed that comprise a computer readable storage medium having program instructions embodied therewith, and one or more processors configured to execute the program instructions to cause the systems and/or computer systems to perform operations comprising one or more aspects of the above- and/or below-described embodiments (including one or more aspects of the appended claims).

In various embodiments, computer-implemented methods are disclosed in which, by one or more processors executing program instructions, one or more aspects of the above- and/or below-described embodiments (including one or more aspects of the appended claims) are implemented and/or performed.

In various embodiments, computer program products comprising a computer readable storage medium are disclosed, wherein the computer readable storage medium has program instructions embodied therewith, the program instructions executable by one or more processors to cause the one or more processors to perform operations comprising one or more aspects of the above- and/or below-described embodiments (including one or more aspects of the appended claims).

BRIEF DESCRIPTION OF THE DRAWINGS

The following drawings and the associated descriptions are provided to illustrate embodiments of the present disclosure and do not limit the scope of the claims. Aspects and many of the attendant advantages of this disclosure will become more readily appreciated as the same become better understood by reference to the following detailed description, when taken in conjunction with the accompanying drawings, wherein:

FIG. 1 shows a block diagram illustrating an example access management system, including an example object-centric conceptual data model, according to one or more embodiments of the present disclosure;

FIG. 2A shows a block diagram illustrating example components and data that may be used in identifying and storing data according to an ontology, according to one or more embodiments;

FIG. 2B shows a block diagram illustrating an example data management system, according to one or more embodiments;

FIG. 3 shows an example block diagram including a computing environment for controlling access to electronic data assets, according to one or more embodiments;

FIG. 4 shows a block diagram illustrating an example authentication service, according to one or more embodiments;

FIGS. 5A-5B show example block diagrams including object models for managing or controlling access to electronic data assets based on purposes, according to one or more embodiments;

FIGS. 6A-6C show block diagrams illustrating example data flows and interactions related to managing or controlling access to electronic data assets based on purposes, according to one or more embodiments;

FIGS. 7A-7D shows flowcharts illustrating example operations of an access management system, according to one or more embodiments;

FIG. 8 shows a block diagram illustrating a computer system upon which various embodiments may be implemented;

FIGS. 9A-9C illustrate example interactive graphical user interfaces related to an analyst user, among others, according to one or more embodiments;

FIGS. 10A-10F illustrate example interactive graphical user interfaces related to a purpose sponsor user, among other users, according to one or more embodiments;

FIGS. 11A-11B illustrate example interactive graphical user interfaces related to a purpose sponsor user and/or a data asset owner user, among other users, according to one or more embodiments;

FIGS. 12A-12F illustrate example interactive graphical user interfaces related to a purpose sponsor, among others, according to one or more embodiments;

FIGS. 13A-13E illustrate example interactive graphical user interfaces related to a data asset owner user, among other users, according to one or more embodiments;

FIGS. 14A-14K illustrate example interactive graphical user interfaces related to a governance administrator user, among other users, according to one or more embodiments;

FIG. 15A shows a block diagram including an example computing environment for controlling user actions using checkpoints, according to one or more embodiments;

FIG. 15B shows a flowchart illustrating example operations of an access management system, according to one or more embodiments;

FIGS. 16A-16D illustrate example interactive graphical user interfaces related to providing purpose-based checkpoints, according to one or more embodiments;

FIG. 17A shows an example block diagram including a computing environment for configuring checkpoints, according to one or more embodiments;

FIG. 17B shows an example object model for managing or controlling user actions with checkpoints, according to one or more embodiments;

FIG. 17C illustrates an example of one or more data stores with example data in various groups, projects, scopes, and/or the like, according to one or more embodiments;

FIG. 18 shows flowcharts illustrating example operations of an access management system, according to one or more embodiments;

FIGS. 19A-19J illustrate example interactive graphical user interfaces related to configuring purpose-based checkpoints, according to one or more embodiments; and

FIGS. 20-22 show block diagram of example alternative computing environments for controlling user actions using checkpoints, according to one or more embodiments.

DETAILED DESCRIPTION

Although certain preferred embodiments and examples are disclosed below, the inventive subject matter extends beyond the specifically disclosed embodiments to other alternative embodiments and/or uses and to modifications and equivalents thereof. Thus, the scope of the claims appended hereto is not limited by any of the particular embodiments described below. For example, in any method or process disclosed herein, the acts or operations of the method or process may be performed in any suitable sequence and are not necessarily limited to any particular disclosed sequence. Various operations may be described as multiple discrete operations in turn, in a manner that may be helpful in understanding certain embodiments; however, the order of description should not be construed to imply that these operations are order dependent. Additionally, the structures, systems, and/or devices described herein may be embodied as integrated components or as separate components. For purposes of comparing various embodiments, certain aspects and advantages of these embodiments are described. Not necessarily all such aspects or advantages are achieved by any particular embodiment. Thus, for example, various embodiments may be carried out in a manner that achieves or optimizes one advantage or group of advantages as taught herein without necessarily achieving other aspects or advantages as may also be taught or suggested herein.

I. Overview

As noted above, in general, access to data assets may be managed by assigning authentication credentials (e.g., usernames and passwords) to users. Computer administrators may further impose authorization restrictions specifying which users or groups of users can read, write, or modify a data asset. There may not be easy methods of propagating large-scale changes to the restrictions—to change these, an administrator may have to manually change each permission of each data asset. It may be difficult to track or report why users are accessing authorized data assets. It can also be difficult to track or ensure that users are qualified to access authorized data assets.

Embodiments of the present disclosure include computer systems for purpose-based control of user actions and access to data assets, going beyond simple authentication of users, where the purpose-based actions and access is configured such that data governance may be pushed to the forefront. The systems may provide structure to previously unstructured governance metadata using data objects (also referred to herein simply as “objects”). Advantageously, through the use of objects, governance may be integrated into an action and access control framework such that analyst users cannot perform actions or access data without proceeding though a well-defined process that, e.g.: (1) improves data owners' visibility into actions that are being performed, how data is being used, and how processing of the data may impact data subjects, (2) aids in accountability by providing well-defined roles and capturing metadata that is useful for audit, (3) enables revoking of permissions and time bounds on permissions, among other advantages. Unlike systems that implement only authentication and authorization, the systems described herein can log why authenticated and authorized users are performing actions and accessing data assets, and ensure that users are authorized to perform actions and/or access the data assets for a selected purpose, among other advantages. This can be accomplished, for example, by capturing a contextual history of actions and data access requests directly in objects associated with the actions and requests.

A computer system or software framework is provided for providing checkpoints on user actions. Such checkpoints may comprise controls, preventing users from taking certain actions before providing, e.g., a justification for taking the action. The checkpoints may be configurable, and may be used for many types of user actions, including, for example, as downloading or exporting data, uploading or importing data, duplicating data, accessing data, elevating permissions, logging in, accepting end-user license agreements (“EULAs”), and/or the like. The checkpoints may be configured with various parameters and criteria, including frequency criteria, and may include a workflow for approval by a second user.

A computer system or software framework is also provided for purpose-based control of user actions and data permissioning within an organization. The system's action control and data permissioning is based on a user's selected purpose, in addition to authentication and authorization. An organization may establish purposes associated with action and/or access to data assets (e.g., datasets, folders, and/or the like).

The system may include at least three roles for users interacting with the system: (1) purpose sponsor user, who may be the responsible risk owner, and who may approve purpose access requests and creates data access requests; (2) data asset owner user, who may be responsible for one or more data assets, and who may review data access requests for the data assets that they own; and (3) analyst user, who may create purpose access requests with clear justifications for the requests, and who may then access and analyze data. Purpose sponsor users and data asset owner users may each have the ability to assign delegates or administrators for acting on their behalf for various types of requests. Further, according to various embodiments, the system may include the additional role of a governance administrator user, who may be responsible for establishing organization-wide policies regarding data usage and monitoring that these policies are properly implemented by the organization. In some embodiments, the roles of governance administrator user and purpose sponsor user may overlap partially or fully, or a single one of these roles may fulfill the responsibilities of both.

The system may include an object model and generate objects associated with various user interacting with the system in various roles, e.g.: analyst user objects, purpose sponsor objects, and data asset owner objects. The system may further include generating objects associated with purposes and data assets: purpose objects and data asset objects. The system may further include generating objects associated with access requests: purpose access request objects that link an analyst user to a purpose, and data access request objects that link data assets to a purpose. The system may further include generating objects associated with checkpoints: checkpoint config objects and checkpoint record objects. The various objects can store metadata associated with various aspects of the purpose-based data access, which may advantageously enable investigation and auditing. By using the object model, various users can more easily make and propagate large scale changes to the system as compared to, for example, individual editing of user's permissions or tracking access in spreadsheets.

Further, according to various embodiments, various interactive graphical user interfaces are provided for allowing various types of users interact with the systems and methods described herein to, for example, generate, review, and/or modify purpose objects, purpose access request objects, data access request objects, checkpoint config object, checkpoint record objects, and/or the like.

The following is an example workflow of the system: Purpose sponsor user creates a new purpose (e.g., a purpose titled: Dashboard for Regional Decision Makers), causing the generation of a purpose object. Purpose sponsor user identifies data assets for inclusion within scope of the purpose. As part of the identification of data assets for inclusion, purpose sponsor user may determine any relevant granular access restrictions (e.g., geography or role-based restrictions). Purpose sponsor user requests use of data asset from data asset owner user, providing justification and legal basis, causing the generation of one or more data access request objects. Related metadata is recorded with the data access request objects. Following an assessment, the data asset owner user approves the use data asset under the purpose. The approval is recorded with the data access request object as metadata. Purpose sponsor user optionally nominates key roles for automatic approval for access to the purpose (e.g., regional directors have automatic access to purpose: “Dashboard for Regional Decision Makers”). Additionally, or alternatively, individual users can request access to the purpose. In either case, the system generates corresponding purpose access request objects. Related metadata is recorded with the purpose access request objects. The purpose sponsor user (and/or their delegates) grants access to the purpose on a case-by-case basis (e.g., for other individuals within regions, as nominated by regional directors). The grant of access is recorded with the purpose access request object as metadata.

Additional data can be brought into the scope of the purpose at the request of the purpose sponsor user and with the approval of the data asset owner user, following a similar flow to that described above. When additional data is brought into a purpose, all analyst users with access to the purpose are granted access to the additional data, when accessed within the purpose. Advantageously, in view of the flow described above and the object-based system, at any time it may be possible to answer questions such as: “what data can this analyst user see?”, “why are they allowed to see it?”, and the like.

II. Terms

To facilitate an understanding of the systems and methods discussed herein, a number of terms are defined below. The terms defined below, as well as other terms used herein, should be construed to include the provided definitions, the ordinary and customary meaning of the terms, and/or any other implied meaning for the respective terms. Thus, the definitions below do not limit the meaning of these terms, but only provide exemplary definitions.

Data Asset: Any data, data item, dataset, or group of data, data items, or datasets. May include data and items that can be stored by and/or accessed by a computer system. Non-limiting examples include files, folders, computing machines, memory, processors, servers, hard drives, data tables, databases, laptops, RSA tokens, and/or the like. Also referred to herein as “resources”, “computer resources”, and/or the like.

Data Object or Object: A data container for information representing specific things that have a number of definable properties. For example, a data object can represent an entity such as a person or user, a place, a group, an organization, a resource, a data asset, a request, a purpose, or other noun. A data object can represent an event that happens at a point in time or for a duration. A data object can represent a document or other unstructured data source such as an e-mail message, a news report, or a written paper or article. Each data object may be associated with a unique identifier that uniquely identifies the data object. The object's attributes (e.g., metadata about the object) may be represented in one or more properties. Data objects can be stored, for example, as rows in a database or a table in a database.

Object Type: A type of a data object (e.g., user, data asset, purpose, request, checkpoint config, checkpoint record, and/or the like). Object types may be defined by an ontology and may be modified or updated to include additional object types. An object definition (e.g., in an ontology) may include how the object is related to other objects, such as being a sub-object type of another object type (e.g., an agent may be a sub-object type of a person object type), and the properties the object type may have.

III. Example Object Centric Data Model

To provide a framework for the following discussion of specific systems and methods described herein, an example access management system 110 using an ontology 105 will now be described. The access management system 110 is described in the context of an example computing environment 111. This description is provided for the purpose of providing an example and is not intended to limit the techniques to the example data model, the example access management system, or the example access management system's use of an ontology to represent information.

In some embodiments, a body of data is conceptually structured according to an object-centric data model represented by ontology 105. The conceptual data model is independent of any particular database used for durably storing one or more database(s) 109 based on the ontology 105. For example, each object of the conceptual data model may correspond to one or more rows in a relational database or an entry in Lightweight Directory Access Protocol (LDAP) database, or any combination of one or more databases.

FIG. 1 shows a block diagram illustrating an example access management system, including an example object-centric conceptual data model, according to one or more embodiments of the present disclosure. An ontology 105, as noted above, may include stored information providing a data model for storage of data in the database 109. The ontology 105 may be defined by one or more object types, which may each be associated with one or more property types. At the highest level of description, data object 101 is a container for information representing things in the world. For example, data object 101 can represent an entity such as a person or user, a place, a group, an organization, a resource, a data asset, a request, a purpose, a link, or other noun. Data object 101 can represent an event that happens at a point in time or for a duration. Data object 101 can represent a document or other unstructured data source such as an e-mail message, a news report, or a written paper or article. Each data object 101 is associated with a unique identifier that uniquely identifies the data object within the access management system.

Different types of data objects may have different property types. For example, a “Person” data object might have an “Eye Color” property type and an “Event” data object might have a “Date” property type. Each property 103 as represented by data in the access management system 110 may have a property type defined by the ontology 105 used by the database 105.

Objects may be instantiated in the database 109 in accordance with the corresponding object definition for the particular object in the ontology 105. For example, a specific folder (e.g., an object of type “Data Asset”) at “C: \Folder” (e.g., a property of type “directory”) may be stored in the database 109 as a data asset object metadata as defined within the ontology 105.

The data objects defined in the ontology 105 may support property multiplicity. In particular, a data object 101 may be allowed to have more than one property 103 of the same property type. For example, a “Person” data object might have multiple “Address” properties or multiple “Name” properties.

Each link 102 represents a connection between two data objects 101. In some embodiments, the connection can be through a relationship, an event, a property, or through matching properties. A relationship connection may be asymmetrical or symmetrical. For example, “Person” data object A may be connected to “Person” data object B by a “Boss Of” relationship (where “Person” data object B has an asymmetric “Boss Of” relationship to “Person” data object A), a “Kin Of” symmetric relationship to “Person” data object C, and an asymmetric “Member Of” relationship to “Organization” data object X. The type of relationship between two data objects may vary depending on the types of the data objects. For example, “Person” data object A may have an “Appears In” relationship with “Document” data object Y or have a “Participate In” relationship with “Event” data object E. As an example of an event connection, two “Person” data objects may be connected by an “Office” data object representing a particular business office if they worked at the same place, or by a “Meeting” data object representing a particular meeting if they both attended that meeting. In one embodiment, when two data objects are connected by an event, they are also connected by relationships, in which each data object has a specific relationship to the event, such as, for example, an “Appears In” relationship.

As an example of a matching properties connection, two “Person” data objects representing accountants at a finance firm, may both have a “CPA Qualified” property that indicates that both of them have CPA licenses. If both people work at the same office, then their “Business Address” properties likely contain similar, if not identical property values. In some embodiments, a link between two data objects may be established based on similar or matching properties (e.g., property types and/or property values) of the data objects. These are just some examples of the types of connections that may be represented by a link, and other types of connections may be represented; embodiments are not limited to any particular types of connections between data objects. For example, a document might contain references to two different objects. For example, a document may contain a reference to an event (one object), and a person (a second object). A link between these two objects may represent a connection between these two entities through their co-occurrence within the same document.

Each data object 101 can have multiple links with another data object 101 to form a link set. Each link 102 as represented by data in a database may have a link type defined by the database ontology used by the database.

FIG. 2A shows a block diagram illustrating example components and data that may be used in identifying and storing data according to an ontology, according to one or more embodiments. In this example, the ontology may be configured, and data in the data model populated, by a system of parsers and ontology configuration tools. In the embodiment of FIG. 2A, input data 200 is provided to parser 202. The input data may comprise data from one or more sources. For example, a rental car institution may have one or more databases with information on calendar entries, rental cars, and people. The databases may contain a variety of related information and attributes about each type of data, such as a “date” for a calendar entry, an address for a person, and a date for when a rental car is rented. The parser 202 is able to read a variety of source input data types and determine which type of data it is reading.

In accordance with the discussion above, the example ontology 105 comprises stored information providing the data model of data stored in database 109, and the ontology is defined by one or more object types 210, one or more property types 216, and one or more link types 230. Based on information determined by the parser 202 or other mapping of source input information to object type, one or more data objects 101 may be instantiated in the database 109 based on respective determined object types 210, and each of the objects 101 has one or more properties 103 that are instantiated based on property types 216. Two data objects 101 may be connected by one or more links 102 that may be instantiated based on link types 230. The property types 216 each may comprise one or more data types 218, such as a string, number, and/or the like. Property types 216 may be instantiated based on a base property type 220. For example, a base property type 220 may be “Locations” and a property type 216 may be “Home.”

In some embodiments, an administrator of the system (e.g., a user with the proper role and/or permissions) uses an object type editor 224 to create and/or modify the object types 210 and define attributes of the object types. In some embodiments, an administrator of the system uses a property type editor 226 to create and/or modify the property types 216 and define attributes of the property types. In some embodiments, an administrator of the system uses link type editor 228 to create the link types 230. Alternatively, other programs, processes, or programmatic controls may be used to create link types and property types and define attributes, and using editors is not required.

In some embodiments, creating a property type 216 using the property type editor 226 involves defining at least one parser definition using a parser editor 222. A parser definition comprises metadata that informs parser 202 how to parse input data 200 to determine whether values in the input data can be assigned to the property type 216 that is associated with the parser definition. In an embodiment, each parser definition may comprise a regular expression parser 204A or a code module parser 204B. In other embodiments, other kinds of parser definitions may be provided using scripts or other programmatic elements. Once defined, both a regular expression parser 204A and a code module parser 204B can provide input to parser 202 to control parsing of input data 200.

Using the data types defined in the ontology, input data 200 may be parsed by the parser 202 determine which object type 210 should receive data from a record created from the input data, and which property types 216 should be assigned to data from individual field values in the input data. Based on the object-property mapping 201 (including properties 208A, 208B), the parser 202 selects one of the parser definitions that is associated with a property type in the input data. The parser parses an input data field using the selected parser definition, resulting in creating new or modified data 203. The new or modified data 203 is added to the database 109 according to ontology 105 by storing values of the new or modified data in a property of the specified property type. As a result, input data 200 having varying format or syntax can be created in database 109. The ontology 105 may be modified at any time using object type editor 224, property type editor 226, and link type editor 228, or under program control without human use of an editor. Parser editor 222 enables creating multiple parser definitions that can successfully parse input data 200 having varying format or syntax and determine which property types should be used to transform input data 200 into new or modified input data 203.

IV. Example Data Management System

FIG. 2B shows a block diagram illustrating an example data management system 150, according to one or more embodiments. In particular, the data management system 150 can be used in the context of computing environment 111 along with the access management system 110 described above with respect to FIG. 1. In the embodiments of FIG. 2B, computing environment 111 can be similar to, overlap with, and/or be used in conjunction with the computing environment 111 of FIG. 1. For example, the computing environment 111 can include a database 132, which may be similar to the database 109 in the computing environment 111 of FIG. 1. However, the computing environment 111 can also include the data management system 150.

The example data management system 150 includes one or more applications 154, one or more services 155, one or more initial datasets 156, and a data transformation process 158 (also referred to herein as a build process). The example data management system 150 can include a data pipeline system. The data management system 150 can transform data and record the data transformations. The one or more applications 154 can include applications that enable users to view datasets, interact with datasets, filter data sets, and/or configure dataset transformation processes or builds. The one or more services 155 can include services that can trigger the data transformation builds and application programming interface (“API”) services for receiving and transmitting data. The one or more initial datasets 156 can be automatically retrieved from external sources and/or can be manually imported by a user. The one or more initial datasets 156 can be in many different formats such as a tabular data format (SQL, delimited, or a spreadsheet data format), a data log format (such as network logs), or time series data (such as sensor data).

The data management system 150, via the one or more services 155, can apply the data transformation process 158. An example data transformation process 158 is shown. The data management system 150 can receive one or more initial datasets 162, 164. The data management system 150 can apply a transformation to the dataset(s). For example, the data management system 150 can apply a first transformation 166 to the initial datasets 162, 164, which can include joining the initial datasets 162, 164 (such as or similar to a SQL JOIN), and/or a filtering of the initial datasets 162, 164. The output of the first transformation 166 can include a modified dataset 168. A second transformation of the modified dataset 168 can result in an output dataset 170, such as a report or a joined table in a tabular data format that can be stored in the database 132. Each of the steps in the example data transformation process 158 can be recorded by the data management system 150 and made available as a resource or data asset. For example, a data asset can include a dataset and/or a dataset item, a transformation, or any other step in a data transformation process. As mentioned above, the data transformation process or build 158 can be triggered by the data management system 150, where example triggers can include nightly build processes, detected events, or manual triggers by a user. Additional aspects of data transformations and the data management system 150 are described in further detail below.

The techniques for recording and transforming data in the data management system 150 may include maintaining an immutable history of data recording and transformation actions such as uploading a new dataset version to the data management system 150 and transforming one dataset version to another dataset version. The immutable history is referred to herein as “the catalog.” The catalog may be stored in a database. Preferably, reads and writes from and to the catalog are performed in the context of ACID-compliant transactions supported by a database management system. For example, the catalog may be stored in a relational database managed by a relational database management system that supports atomic, consistent, isolated, and durable (“ACID”) transactions.

The catalog can include versioned immutable “datasets.” More specifically, a dataset may encompass an ordered set of conceptual dataset items. The dataset items may be ordered according to their version identifiers recorded in the catalog. Thus, a dataset item may correspond to a particular version of the dataset. A dataset item may represent a snapshot of the dataset at a particular version of the dataset. As a simple example, a version identifier of ‘1’ may be recorded in the catalog for an initial dataset item of a dataset. If data is later added to the dataset, a version identifier of ‘2’ may be recorded in the catalog for a second dataset item that conceptually includes the data of the initial dataset item and the added data. In this example, dataset item ‘2’ may represent the current dataset version and is ordered after dataset item ‘1’.

As well as being versioned, a dataset may be immutable. That is, when a new version of the dataset corresponding to a new dataset item is created for the dataset in the system, pre-existing dataset items of the dataset are not overwritten by the new dataset item. In this way, pre-existing dataset items (e.g., pre-existing versions of the dataset) are preserved when a new dataset item is added to the dataset (e.g., when a new version of the dataset is created). Note that supporting immutable datasets is not inconsistent with pruning or deleting dataset items corresponding to old dataset versions. For example, old dataset items may be deleted from the system to conserve data storage space.

A version of dataset may correspond to a successfully committed transaction against the dataset. In these embodiments, a sequence of successfully committed transactions against the dataset corresponds to a sequence of dataset versions of the dataset (e.g., a sequence of dataset items of the dataset).

A transaction against a dataset may add data to the dataset, edit existing data in the dataset, remove existing data from the dataset, or a combination of adding, editing, or removing data. A transaction against a dataset may create a new version of the dataset (e.g., a new dataset item of the dataset) without deleting, removing, or modifying pre-existing dataset items (e.g., without deleting, removing, or modifying pre-existing dataset versions). A successfully committed transaction may correspond to a set of one or more files that contain the data of the dataset item created by the successful transaction. The set of files may be stored in a file system.

In the catalog, a dataset item of a dataset may be identified by the name or identifier of the dataset and the dataset version corresponding to the dataset item. In a preferred embodiment, the dataset version corresponds an identifier assigned to the transaction that created the dataset version. The dataset item may be associated in the catalog with the set of files that contain the data of the dataset item. In a preferred embodiment, the catalog treats the set of files as opaque. That is, the catalog itself may store paths or other identifiers of the set of files but may not otherwise open, read, or write to the files.

In sum, the catalog may store information about datasets. The information may include information identifying different versions (e.g., different dataset items) of the datasets. In association with information identifying a particular version (e.g., a particular dataset item) of a dataset, there may be information identifying one or more files that contain the data of the particular dataset version (e.g., the particular dataset item).

The catalog may store information representing a non-linear history of a dataset. Specifically, the history of a dataset may have different dataset branches. Branching may be used to allow one set of changes to a dataset to be made independent and concurrently of another set of changes to the dataset. The catalog may store branch names in association with dataset version identifiers for identifying dataset items that belong to a particular dataset branch.

The catalog may provide dataset provenance at the transaction level of granularity. As an example, suppose a transformation is executed in the data management system 150 multiple times that reads data from dataset A, reads data from dataset B, transforms the data from dataset A and the data from dataset B in some way to produce dataset C. As mentioned, this transformation may be performed multiple times. Each transformation may be performed in the context of a transaction. For example, the transformation may be performed daily after datasets and B are updated daily in the context of transactions. The result being multiple versions of dataset A, multiple versions of dataset B, and multiple versions of dataset C as a result of multiple executions of the transformation. The catalog may contain sufficient information to trace the provenance of any version of dataset C to the versions of datasets A and B from which the version of dataset C is derived. In addition, the catalog may contain sufficient information the trace the provenance of those versions of datasets A and B to the earlier versions of datasets A and B from which those versions of datasets A and B were derived.

The provenance tracking ability is the result of recording in the catalog for a transaction that creates a new dataset version, the transaction or transactions that the given transaction depends on (e.g., is derived from). The information recorded in the catalog may include an identifier of each dependent transaction and a branch name of the dataset that the dependent transaction was committed against.

According to some embodiments, provenance tracking extends beyond transaction level granularity to column level granularity. For example, suppose a dataset version A is structured as a table of two columns and a dataset version B is structured as a table of five columns. Further assume, column three of dataset version B is computed from column one of dataset version A. In this case, the catalog may store information reflecting the dependency of column three of dataset version B on column one of dataset version A.

The catalog may also support the notion of permission transitivity. For example, suppose the catalog records information for two transactions executed against a dataset referred to in this example as “Transaction 1” and Transaction 2.” Further suppose a third transaction is performed against the dataset which is referred to in this example as “Transaction 3.” Transaction 3 may use data created by Transaction 1 and data created by Transaction 2 to create the dataset item of Transaction 3. After Transaction 3 is executed, it may be decided according to organizational policy that a particular user should not be allowed to access the data created by Transaction 2. In this case, as a result of the provenance tracking ability, and in particular because the catalog records the dependency of Transaction 3 on Transaction 2, if permission to access the data of Transaction 2 is revoked from the particular user, permission to access the data of Transaction 3 may be transitively revoked from the particular user.

The transitive effect of permission revocation (or permission grant) can apply to an arbitrary number of levels in the provenance tracking. For example, returning to the above example, permission may be transitively revoked for any transaction that depends directly or indirectly on the Transaction 3.

According to some embodiments, where provenance tracking in the catalog has column level granularity. Then permission transitivity may apply at the more fine-grained column level. In this case, permission may be revoked (or granted) on a particular column of a dataset and based on the column-level provenance tracking in the catalog, permission may be transitively revoked on all direct or indirect descendent columns of that column.

A build service can manage transformations which are executed in the system to transform data. The build service may leverage a directed acyclic graph data (DAG) structure to ensure that transformations are executed in proper dependency order. The graph can include a node representing an output dataset to be computed based on one or more input datasets each represented by a node in the graph with a directed edge between node(s) representing the input dataset(s) and the node representing the output dataset. The build service traverses the DAG in dataset dependency order so that the most upstream dependent datasets are computed first. The build service traverses the DAG from the most upstream dependent datasets toward the node representing the output dataset rebuilding datasets as necessary so that they are up to date. Finally, the target output dataset is built once all of the dependent datasets are up to date.

The data management system 150 can support branching for both data and code. Build branches allow the same transformation code to be executed on multiple branches. For example, transformation code on the master branch can be executed to produce a dataset on the master branch or on another branch (e.g., the develop branch). Build branches also allow transformation code on a branch to be executed to produce datasets on that branch. For example, transformation code on a development branch can be executed to produce a dataset that is available only on the development branch. Build branches provide isolation of re-computation of graph data across different users and across different execution schedules of a data pipeline. To support branching, the catalog may store information represents a graph of dependencies as opposed to a linear dependency sequence.

The data management system 150 may enable other data transformation systems to perform transformations. For example, suppose the system stores two “raw” datasets R1 and R2 that are both updated daily (e.g., with daily web log data for two web services). Each update creates a new version of the dataset and corresponds to a different transaction. The datasets are deemed raw in the sense that transformation code may not be executed by the data management system 150 to produce the datasets. Further suppose there is a transformation A that computes a join between datasets R1 and R2. The join may be performed in a data transformation system such a SQL database system, for example. More generally, the techniques described herein are agnostic to the particular data transformation engine that is used. The data to be transformed and the transformation code to transform the data can be provided to the engine based on information stored in the catalog including where to store the output data.

According to some embodiments, the build service supports a push build. In a push build, rebuilds of all datasets that depend on an upstream dataset or an upstream transformation that has been updated are automatically determined based on information in the catalog and rebuilt. In this case, the build service may accept a target dataset or a target transformation as an input parameter to a push build command. The build service than determines all downstream datasets that need to be rebuilt, if any.

As an example, if the build service receives a push build command with dataset R1 as the target, then the build service would determine all downstream datasets that are not up to date with respect to dataset R1 and rebuild them. For example, if dataset D1 is out-of-date with respect to dataset R1, then dataset D1 is rebuilt based on the current versions of datasets R1 and R2 and the current version of transformation A. If dataset D1 is rebuilt because it is out-of-date, then dataset D2 will be rebuilt based on the up-to-date version of dataset D1 and the current version of transformation B and so on until all downstream dataset of the target dataset are rebuilt. The build service may perform similar rebuilding if the target of the push build command is a transformation.

The build service may also support triggers. In this case, a push build may be considered a special case of a trigger. A trigger, generally, is a rebuild action that is performed by the build service that is triggered by the creation of a new version of a dataset or a new version of a transformation in the system.

A schema metadata service can store schema information about files that correspond to transactions reflected in the catalog. An identifier of a given file identified in the catalog may be passed to the schema metadata service and the schema metadata service may return schema information for the file. The schema information may encompass data schema related information such as whether the data in the file is structured as a table, the names of the columns of the table, the data types of the columns, user descriptions of the columns, and/or the like.

The schema information can be accessible via the schema metadata service may versioned separately from the data itself in the catalog. This allows the schemas to be updated separately from datasets and those updates to be tracked separately. For example, suppose a comma separated file is uploaded to the system as particular dataset version. The catalog may store in association with the particular dataset version identifiers of one or more files in which the CSV data is stored. The catalog may also store in association with each of those one or more file identifiers, schema information describing the format and type of data stored in the corresponding file. The schema information for a file may be retrievable via the scheme metadata service given an identifier of the file as input. Note that this versioning scheme in the catalog allows new schema information for a file to be associated with the file and accessible via the schema metadata service. For example, suppose after storing initial schema information for a file in which the CSV data is stored, updated the schema information is stored that reflects a new or better understanding of the CSV data stored in the file. The updated schema information may be retrieved from the schema metadata service for the file without having to create a new version of the CSV data or the file in which the CSV data is stored.

When a transformation is executed, the build service may encapsulate the complexities of the separate versioning of datasets and schema information. For example, suppose transformation A described above in a previous example that accepts the dataset R1 and dataset R2 as input is the target of a build command issued to the build service. In response to this build command, the build service may determine from the catalog the file or files in which the data of the current versions of datasets R1 and R2 is stored. The build service may then access the schema metadata service to obtain the current versions of the schema information for the file or files. The build service may then provide all of identifiers or paths to the file or files and the obtained schema information to the data transformation engine to execute transformation A. The underlying data transformation engine interprets the schema information and applies it to the data in the file or files when executing transformation A.

The various data assets (e.g., files, data items, datasets, data tables, portions of datasets, transformations, and/or the like) of the data management system 150 may also be stored in the databases 132.

The data management system 150 can include various permissioning functionalities. For example, the data management system 150 can implement access control lists and/or other permissioning functionality that can enable highly granular permissioning of data assets (e.g., files, data items, datasets, portions of datasets, transformations, and/or the like). The permissioning may include, for example, specific permissions for read/write/modify, and/or the like, which may be applicable to specific users, groups of users, roles, and/or the like.

In an implementation, the data management system 150 includes “projects”, which comprise groups of data assets. Users granted access to a given project are also thereby granted access to all data assets within that project, subject to further permissioning such as read/write/modify, as mentioned above. As further described herein, in an implementation the access management system 110 expands the permissioning functionality of the data management system 150 by associating “purposes” (e.g., as defined by purpose objects) of the access management system 110 with “projects” of the data management system 150. Thus, for example, a user may be granted access to the data assets of a project if they are approved to a particular purpose. Further details regarding granting access to purposes are provided herein.

V. Example Access Management System and Related Computing Environment

FIG. 3 shows an example block diagram including a computing environment 111 for controlling access to electronic data assets, according to one or more embodiments. The computing environment 111 includes the access management system 110 and the data management system 150, examples of which are described above in reference to FIGS. 1 and 2A-2B. FIG. 3 further shows an example computer system 301 being used by a user 303, and a network 307 enabling communication between the computer system 301 and the access management system 110. As shown, the access management system 110 and the data management system 150 may also be in communication with each other via direct connection, or one of more computer networks. As shown, the access management system 110 may include an authentication service 311 and an access service and/or audit service 313 (generally referred to herein simply as access service 313), and the data management system 150 may include a data interaction service 315.

In various embodiments, the various components and aspects of the access management system 110 and the data management system 150 may be implemented in various ways. For example, the access management system 110 and the data management system 150 may be implemented as a single computing system, and/or various functions or services of the two may be split up and/or arranged differently from that shown in the example computing environment 111 of FIG. 3. Thus, for example, while in FIG. 3 dataset(s) 156 and database(s) 109 are shown as being implemented in the respective data management system 150 and access management system 110, in other implementations the datasets/databases may combined, separated into additional datasets/databases, and/or the like. Similarly, the ontology 105, and the database(s) 132 may be combined and/or separated, and/or combined with one or more of the dataset(s) and database(s) 109. As another example, the various services of the data management system 150 and access management system 110 may be combined and/or separated in additional services, and/or may be implemented in different ones of the various systems of the present disclosure. However, for the purpose of providing a concise description in the present disclosure, the various functionalities are described in reference to the example implementation shown in the computing environment 111 of FIG. 3.

As used herein, the term “system” generally refers to the access management system 110, but may also include various aspects of the data management system 150 and/or other computer systems of the present disclosure.

In general, and as further described herein, the authentication service 311 may authenticate users who access the system, e.g., via a username and password, and/or other appropriate authentication mechanisms. Also, in general and as further described herein, the access service 313 may provide, to various users, purpose-based access to data assets (e.g., data items, datasets, and/or the like, which may be stored in the dataset(s) 156 and/or another data store or database of the system), and may also provide various functionalities for permissioning, generating and/or modifying objects (e.g., purpose objects, data asset objects, purpose access request objects, data access request object, various user objects, and/or the like), providing interactive user interfaces, and/or the like. Also, in general and as further described herein, the data interaction service 315 may provide various users with interactive user interfaces for interacting with data assets, e.g., data assets associated with a purpose/“project”.

The example computer system 301, with which a user 303 may interact, communicates with the system via the network 307 (e.g., a local or extended network, which may include the Internet, and which may include multiple networks that may variously be wired or wireless) to, for example, transmit authentication credentials 305, receive and/or send data and/or commands, provide various interactive user interface functionality to the user. The example computer system 301 is representative of multiple computer systems that may communicate with the access management system 110 and/or data management system 150, and which may be used by various types of users for the various functionality as described herein.

VI. Authentication

A user can be authenticated using authentication credentials, e.g., based on a username and password provided by the user. The user 303 may use a variety of different types of computer systems 301 to access various resources. The computer system 301 can include a desktop, laptop, terminal, smartphone, smartTV, and/or the like. The user 303 may desire to access a variety of resources, such as files, folders, computing machines, memory, processors, servers, hard drives, databases, laptops, RSA tokens, client badges, and/or the like, including time or job slots for using any of the aforementioned resources/data assets. Access to the resources can be restricted and audited as discussed herein.

The authentication credentials 305 provided by a user can include a username and password. In various embodiments, the authentication credentials 305 can include additional information, such as answers to challenge questions, hardware identifiers, passwords received through a second communication channel via N-factor authentication, time-based authentication data, and/or the like. The authentication credentials 305 can be transmitted through a network 307 to the access management system 110 to authenticate the user 303.

The access management system 110 can use the authentication service 311 to compare the authentication credentials 305 against the authentication credentials of known user objects (e.g., analyst user objects, purpose sponsor objects, data asset objects, and/or the like) in, e.g., database 109 and/or another database. An example flowchart for the authentication service 311 is discussed in reference to FIG. 4.

The access management system 110 can use an access and/or audit system to manage user access to various computer resources/data assets. Example flowcharts and functionality for access and/or audit services are described, e.g., in reference to FIGS. 5A-5B, 6A-6B, and 7A-7D, and the various Figures with example interactive graphical user interfaces of the present disclosure.

The database 109 can include a plurality of objects representing known users. The database 109 can additionally include a plurality of other objects, such as shown and described in reference to FIG. 5A.

The known user object is represented with an object model, and can have a plurality of properties. For example, the known user object can include a property such as “Authen_Info” to indicate information used for authentication credentials. The authentication credentials can include a username, an encrypted password, encryption scheme, and/or the like. The authentication credentials can include string values, other object types, and/or references to other resources such as an encrypted database.

The known user object can also include properties such as “Author_Info” to indicate various permissions that the known user has any type of authorization for. In some embodiments, the authorizations can specify permissions such as objects and/or types of objects the user has authorization to read from, write to, modify, and/or otherwise access. In some embodiments, the property indicating authorizations of the known user object can be omitted, and authorizations can be handled at an operating system level or other level. Other properties can indicate linked objects that represent purposes for accessing purposes, as described herein. Although the object model includes example types/objects associated with each property, it will be understood that various embodiments can use different data types and/or types of objects for the properties. For example, the Authen_Info can be an object indicating authentication credentials, a String, a double, and/or the like. As further explained with respect to FIG. 5A, any of the properties of the various objects can additionally or alternatively be indicated using links.

FIG. 4 shows a block diagram illustrating an example authentication service (e.g., which may be implemented by authentication service 311), according to one or more embodiments. At block 401, a username and password provided by a user can be received. In some embodiments, other authentication credentials can be received as well.

At block 405, a database (such as database 109 of FIG. 3) can be searched for instances of known user objects that match the username provided by the user. In some embodiments, the search can be performed by referencing an index. A matching known user object can be found. In some embodiments, the searching for a matching user can be performed at the operating system level with or without the use of objects.

At block 411, it can be determined if the password provided by the user and the stored password for the matching known user match. In various embodiments, either one or both of the stored password or the password provided by the user may be modified, at block 407 and at block 409 respectively, before the comparison is performed at block 411 to determine a match. Modifications to passwords can include encryption, decryption, salting, hashing, and/or the like.

If at block 411, the password provided by the user and the stored password of the known user does not match, then at block 413, the user is denied authentication and denied access. If at block 411, the password provided by the user and the stored password of the known user do match, at block 415, the user can be authenticated as a known user. Further access to resources/data assets can be restricted as discussed in reference to, e.g., FIGS. 5A-5B, 6A-6B, and 7A-7D, and the various Figures with example interactive graphical user interfaces of the present disclosure.

VII. Example Purpose-Based Access to Data Assets and Associated Example Object Model

After authenticating the identity of a user, the system can then determine which data assets the user is authorized to access, and permissions of the user as related to those data assets. Data asset access in the system of the present disclosure is based on purposes. The system uses an object model (e.g., based on an ontology as described above in reference to FIG. 1) for managing or controlling access to electronic data assets based on purposes, an example of which is illustrated in FIG. 5A. As shown in FIG. 5A, data object types of the object model include access-related objects 501, and user objects 502. The access-related objects include purpose access request objects 503, purpose objects 504, data access request objects 506, and data asset objects 508. The user objects 502 include analyst user objects 510, purpose sponsor objects 512, and data asset owner objects 514. Further details regarding these various types of objects are described herein.

Various users of the system can act in various roles for enabling the purpose-based access. These user roles include, for example, (1) purpose sponsor user, who is the responsible risk owner, and who approves purpose access requests and creates data access requests; (2) data asset owner user, who is responsible for one or more data assets, and who reviews data access requests for the data assets that they own; and (3) analyst user, who creates purpose access requests with clear justifications for the requests, and who then accesses and analyzes data. Purpose sponsor users and data asset owner users each have the ability to assign delegates or administrators for acting on their behalf for various types of requests.

The system may generate objects associated with various user interacting with the system in various roles according to the object model, e.g.: analyst user objects 510, purpose sponsor objects 512, and data asset owner objects 514. As illustrated in FIG. 5A, each instantiation of the various user objects may include various properties, including for example, organization, department, job title, and/or the like. Additional example properties that may be associated with user objects are illustrated in reference to the various Figures with example interactive graphical user interfaces of the present disclosure.

The system may further generate objects associated with purposes and data assets according to the object model, e.g.: purpose objects 504 and data asset objects 508. As illustrated in FIG. 5A, each instantiation of a purpose object may include various properties, including for example, description, review data, and/or the like. Further, each instantiation of a purpose object may be associated with, and/or linked to, a purpose sponsor user that may be responsible for managing the purpose, including for example, creating the purpose object, approving purpose access requests, creating data access requests, and/or the like. Further, in various implementations, each instantiation of a purpose object may be associated with, linked to, and/or include a “tag,” indicating a particular characteristic of the purpose or a purpose type, enabling an organization to maintain and/or classify different categories of purposes. As also illustrated in FIG. 5A, each instantiation of a data asset object may include various properties, including for example, description, various metadata, various key attributes, and/or the like. Further, each instantiation of a data asset object may be associated with, and/or linked to, a data asset owner user that may be responsible for managing the data asset, including for example, reviewing data access requests, and/or the like. Further, in various implementations, each instantiation of a data asset object may be associated with, linked to, and/or include resources other than just pure data that may be used by a purpose. Additional example properties that may be associated with purpose objects and data asset objects are illustrated in reference to the various Figures with example interactive graphical user interfaces of the present disclosure.

The system may further generate objects associated with access requests according to the object model, e.g.: purpose access request objects 503 that link an analyst user to a purpose, and data access request objects 506 that link data assets to a purpose. As illustrated in FIG. 5A, each instantiation of a purpose access request object may include various properties, including for example, justification or legal basis, evidence, documentation, privilege or permissions, and/or the like. Further, each instantiation of a purpose access request object may be associated with, and/or linked to, an analyst user that may have generated the request, and a purpose associated with the request. As also illustrated in FIG. 5A, each instantiation of a data access request object may include various properties, including for example, legal basis or justification, proportionality, and/or the like. Further, each instantiation of a data asset request object may be associated with, and/or linked to, a purpose user that may have generated the request, and a data asset associated with the request.

Further, as illustrated in FIG. 5B, the system may generate objects associated with “derived data assets” according to the object model, e.g.: derived data asset object 526. A derived data asset object may be similar to a data asset object, but may be associated with, linked to, and/or include additional information related to a derivation, provenance, and/or lineage of the associated data asset, among other information. In various implementations, a derived data asset object may represent a derived data asset that may be based on or result from one or more source data assets and/or one or more transformations processes (e.g., as described above in reference to FIG. 2B), among other aspects. Each instantiation of a derived data asset object may include various properties, including for example, description, various metadata, various key attributes, and/or the like. In an example, a derived data asset may be generated in a purpose (e.g., as represented by purpose data object 524), and/or separately from a purpose. A purpose may include permissions and/or approval for a user to create a derived data asset from one or more data assets included with the purpose. A data asset and/or derived data asset may be a shared resource between different purposes. Further, each instantiation of a derived data asset object may be associated with, and/or linked to, one or more purposes that have access to the derived data asset, and to various data access request objects 528. In some implementations, a derived data asset object may be a sub-type of a data asset object; in other implementations, a derived data asset object may be a separate object type from a data asset object. In various implementations, a derived data asset object may serve the same function as a data asset object and be used interchangeably with a data asset object in various workflows.

In general, the object model of the present disclosure provides a framework for purpose-based access to data assets. For example, and as noted above, a given purpose is represented by a purpose object, and is associated with a “project” of the system. Particular data assets, as represented by respective data asset objects, are associated with the purpose/“project” via one or more data access requests, as represented by data access request objects. Particular analyst users, as represented by respective analyst user objects, are associated with the purpose/“project” via one or more purpose access requests, as represented by purpose access request objects. When an analyst user is granted access to a purpose by a purpose sponsor user (e.g., an approval is provided in a purpose access request object associated with or linked to the analyst user object and the purpose object), the analyst user is then able to access all data assets associated with the purpose (e.g., where data access request objects have been approved that associate or link data access request objects to the purpose object). Additionally, purpose sponsor users, as represented by respective purpose sponsor objects, are associated with purpose objects such that the purpose sponsor user can (1) generate data access request objects that, if approved by appropriate data asset owner users associated with the data asset objects, can associated or link data assets to the purpose, and (2) review and approve or not approve purpose access request objects. Yet further, data asset owner users, as represented by respective data asset owner objects, are associated with data asset objects such that the data asset object can review and approve or not approve data access requests.

In addition to associating or linking an analyst user object with a purpose object via approval of a purpose access request object, each given purpose access request can be associated with privileges/permissions/authorizations, which may include the extent to which the given analyst user may interact (e.g., read/write/modify/execute/etc.) with the data that they are given access to in the purpose. The privileges/permissions/authorizations may be determined based on an “access type”, which may be provided by the analyst user and/or the purpose sponsor user for the purpose access request.

A given analyst user object may be associated with or linked to multiple purpose access request objects and/or purpose objects. A given purpose sponsor object may be associated with or linked to multiple purpose access request objects, purpose objects, and/or data access request objects. A given data asset owner object may be associated with or linked to multiple data access request objects and/or data asset objects. A given purpose object may be associated with or linked to multiple purpose access request objects, data access request objects, data asset objects, and/or analyst user objects. A given data asset object may be associated with or linked to multiple data access request objects, and/or purpose objects. In some implementations, portions of data assets may be associated with or linked to data access request objects and/or purpose objects. As noted above, purpose sponsor users and data asset owner users may assign delegates or administrators to act on their behalf. Such delegates or administrators, in various implementations, may or may not be represented by objects in the system. Thus, in some implementations, multiple purpose sponsor objects (and/or purpose sponsor delegate user objects) may be associated with or linked to a given purpose object, purpose access request object, and/or data access request object. Similarly, in some implementations, multiple data asset owner objects (and/or data asset owner delegate user objects) may be associated with or linked to a given data asset object and/or data access request object.

The various objects of the object model can store metadata associated with various aspects of the purpose-based data access, which may advantageously enable investigation and auditing. For example, each purpose access request object may include a justification or legal basis, evidence or documentation, and/or the like, as metadata/properties of the purpose access request object. As another example, each data access request object may include a legal basis or justification, proportionality information (e.g., ensuring that the scope of the data assets is proportional to the purpose for which it is requested), and/or the like, as metadata/properties of the data access request object. The system may further advantageously use the metadata to generate and/or export various reports, which may be reviewed and edited by users. For example, metadata from a purpose access request object or a data access request object may enable the generation of a report assessing the risk of the purpose access request or data asset access request. As another example, according to various implementations, the system may use metadata from a data asset object and related purpose objects to generate a report informing a data asset owner, or a data subject outside of the organization with an interest in a specific data asset, what purposes the specific data asset is being used for. To enable the generation and/or exportation of reports, the system may provide an API for allowing a data subject to query the system as to how the data subject's data is being used. In various implementations, the API may perform a search of all data asset objects and, for any relevant data asset object found, the API may perform a search around on all relevant purpose objects. Furthermore, reports may advantageously be generated and/or exported according to any appropriate format or template, and as any appropriate filetype (e.g., as a PDF). In various implementations, the system may enable an organization to control and/or limit what purposes are included in various types of reports.

According to various implementations, the object model of the present disclosure provides a number of advantages associated with providing purpose-based access to data assets. For example, the object model can ensure that no analyst user is granted access to data assets except through a purpose, because analyst user objects are not directly linked to any data asset object. As another example, purpose sponsor users can provide oversight regarding all analyst users that can access a given purpose, because analyst users are only associated with a given purpose object via purpose sponsor user approval of particular purpose access request objects. As yet another example, purpose sponsor users can modify data assets that are available in a given purpose/“project” via removal of associations or links with data access request objects and/or data asset objects, and/or requesting additional data asset objects to be associated with or linked to a purpose object via data access request objects. As another example, data asset owner users can provide oversight regarding what purposes have access to which data assets, and whether it is appropriate to provide access to multiple data assets in a given purpose, by approving or not approving data access request objects that can associate or link data assets to particular purposes. As yet another example, and as mentioned above, auditing and review of various data accesses is facilitated by capturing relationships among the various objects, and the metadata/properties captured with the various objects. Further, by using the object model, various users can more easily make and propagate large scale changes to the system as compared to, for example, individual editing of user's permissions or tracking access in spreadsheets. For example, data assets can easily be added to or removed from a given purpose, enabling rapid re-scoping of the data available for a given purpose.

FIG. 6A shows a block diagram illustrating an example data flow or workflow of the system, including example interactions related to managing or controlling access to electronic data assets based on purposes, according to one or more embodiments. FIG. 6A only illustrates one example data flow of the system, and other data flows and functionality are contemplated and described herein. In various implementations various aspects of the example data flow of FIG. 6A may be ordered differently, may be optional, and/or may be removed, and/or additional aspects may be added.

At action 1 a purpose sponsor user creates a new purpose (e.g., a purpose titled: Dashboard for Regional Decision Makers), causing the generation of a purpose object. At action 2, purpose sponsor user identifies data assets for inclusion within scope of the purpose. At action 3, as part of the identification of data assets for inclusion, purpose sponsor user may determine any relevant granular access restrictions (e.g., geography or role-based restrictions). At action 4, purpose sponsor user requests use of data asset from data asset owner user, providing justification and/or legal basis, causing the generation of one or more data access request objects. Related metadata is recorded with the data access request objects. At action 5, following an assessment, the data asset owner user (and/or their delegates) approves the use data asset under the purpose. The approval is recorded with the data access request object as metadata. At action 6, purpose sponsor user optionally nominates key roles for automatic approval for access to the purpose (e.g., regional directors have automatic access to purpose: “Dashboard for Regional Decision Makers”). Additionally, or alternatively, individual users can request access to the purpose. In either case, the system generates corresponding purpose access request objects. Related metadata is recorded with the purpose access request objects. At action 7, purpose sponsor user (and/or their delegates) grants access to the purpose on a case-by-case basis (e.g., for other individuals within regions, as nominated by regional directors). The grant of access is recorded with the purpose access request object as metadata.

Additional data can be brought into the scope of the purpose at the request of the purpose sponsor user and with the approval of the data asset owner user, following a similar flow to that described above. When additional data is brought into a purpose, all analyst users with access to the purpose are granted access to the additional data, when accessed within the purpose. When an analyst user wants to access data assets, they first select a purpose, after which they may subsequently be granted access to the data assets associated with that purpose. The analyst user may access different data assets associated with different purposes by switching from one approved purpose to another, but, according to an implementation, mat not access data assets associated with multiple purposes simultaneously. Thus, according to various implementations, analyst users may not directly access data assets in the system without going through/initially identifying a purpose and getting approval for that purpose. Advantageously, in view of the flow described above and the object model of the system, at any time it may be possible to answer questions such as: “what data can this analyst user see?”, “why are they allowed to see it?”, and the like.

FIG. 6B is a block diagram illustrating an example data flow or workflow of the system involving derived data assets. FIG. 6B only illustrates one example data flow of the system, and other data flows and functionality are contemplated and described herein. In various implementations various aspects of the example data flow of FIG. 6B may be ordered differently, may be optional, and/or may be removed, and/or additional aspects may be added.

At action 1, a data asset owner approves a request to associate a data asset with a specific purpose, and the purpose is granted access to the data asset. At action 2, a derived data asset is created within the purpose (or, in some implementations, the derived data asset may be created separate from a purpose). The derived data asset may include some or all of the original data asset and may also include certain data not previously in the original data asset. For example, the derived data asset may be a filtered version of the original data asset, combined with another data asset (in whole or in part), transformed in some other way, and/or any combination of these or other transformation processes. Initially, a derived data asset may only be accessible to the original approved purpose. At action 3, the original data asset owner and the purpose sponsor approve a request to associate the derived data asset with a second purpose, and the second purpose is granted access to the derived data asset. In this example, the data asset access request for the derived data asset must be approved by all upstream data asset owners and the original purpose sponsor, so both the original data asset owner and the original purpose sponsor must approve the request. Alternatively, if the derived data asset is a combination of two or more data assets, approval may be required from the data asset owners of each of the two or more data assets, and/or the original purpose sponsor. At action 4, a second derived data asset is created within the second purpose (or, in some implementations, the second derived data asset may be created separate from a purpose). At action 5, the original data asset owner, the first purpose sponsor, and the second purpose sponsor all approve a request to associate the second derived data asset with a third purpose, and the third purpose is granted access to the second derived data asset. Alternatively, if the second derived data asset is a combination of two or more data assets, approval may be required from the data asset owners of each of the two or more data assets, and/or one or more of the first and second purpose sponsors.

FIG. 6C shows a block diagram illustrating another example data flow or workflow of the system involving derived data assets. The flow illustrated in FIG. 6C is similar to the flow illustrated in FIG. 6B. However, in action 3, the original data asset owner severs the original data asset approval requirement, meaning that additional downstream derived data assets do not require the original data asset owner's approval to be used by a purpose. A data asset owner may choose to do this when the data has been aggregated or transformed in some way such that case-by-case approvals around the use of such data are no longer necessary. At action 5, as a result of this severance, the original data asset owner does not need to approve the data access request for the third purpose to use the second derived data asset. Such severances of data asset approval requirements may also similarly be applied to purpose sponsors.

In some implementations, the system and/or users of the system (e.g., governance users) may restrict sharing or associating of derived data assets from one purpose to another, or among purposes with certain characteristics.

As mentioned above, in various implementations, while specified in the purpose access requests, the data management system 150, an operating system, a file management system, and/or other service (such as an access control list (“ACL”) service) can manage permissions/privileges/authorizations of analyst users with respect to the data assets that the analyst users can access in a given purpose. Thus, according to various implementations, for example, an access management system 110 with an access service and object model as described herein can be built on top of an existing data management system 150, enabling purpose-based access to the data assets of the data management system 150. For example, in various implementations, the system described herein may be implemented on top of existing access control systems (e.g., geography or role-based restrictions). For example, in various implementations, the system may enable one or more purposes to be associated with an existing role, such that all users with the role would have access to data assets associated with the one or more purposes.

Further details and examples of functionality of the system that provides for purpose-based access to data assets based on an object model are provided herein in reference to, for example, the flowcharts of FIGS. 7A-7D. Further, according to various embodiments, various interactive graphical user interfaces are provided for allowing various types of users interact with the systems and methods described herein to, for example, generate, review, and/or modify purpose objects, purpose access request objects, data access request objects, and/or the like. Examples are described in reference to the various Figures with example interactive graphical user interfaces of the present disclosure (e.g., FIGS. 9A-9C, 10A-10F, 11A-11B, 12A-12F, 13A-13E, and 14A-14K). Additional related functionality is described in reference to the other Figures of the present disclosure (e.g., FIGS. 15A-15B, 16A-16D, 17A-17C, 18, and 19A-19J).

For example, as described herein, various interactive graphical user interfaces may be provided such that (1) an analyst user may request access to purposes and/or access data assets associated with purposes for which they have been approved, (2) a purpose sponsor user may review and approve (or deny) purpose access requests, generate data access requests, investigate relationships among various objects, and/or the like, (3) a data asset owner user may review and approve (or deny) data access requests, investigate relationships among various objects, and/or the like, and (4) a governance administrator user and/or a purpose sponsor user may review, analyze, and change, and otherwise interact with various policies, data assets, purposes, requests, approvals, denials, alerts, and/or the like. In some embodiments, the roles of governance administrator user and purpose sponsor user may overlap partially or fully, or a single one of these roles may fulfill the responsibilities of both.

In various implementations, links between objects can be achieved in different ways. For example, FIG. 5A shows symmetrical links between various objects. Some implementations may implement one directional links in various circumstances and between various objects. In various implementations, links may be implemented through properties of objects, or may additionally or alternatively be implemented using links which may be separate from the objects (and as described herein in reference to FIG. 1. Such links can include a description regarding the type of link, and a first linked object and a second linked object that are linked to each other. Thus, in various implementations, one, some, or all objects discussed herein can be linked by a link instead of (or in addition to) being linked through matching properties. In some implementations, a link can include additional (e.g., third, fourth, . . . , Nth) linked objects and indicate more complex multi-object relationships.

VIII. Additional Example Operations of the System

FIGS. 7A-7D show flowcharts illustrating example operations of the system, according to one or more embodiments. The blocks of the flowcharts illustrate example implementations, and in various other implementations various blocks may be rearranged, optional, and/or omitted, and/or additional block may be added. The example operations of the system illustrated in FIGS. 7A-7D may be implemented, for example, by the access service 313 of the access management system 110 and/or various aspects of the data management system 150, and such operations may follow authentication of a user (such as described with reference to FIG. 4). As mentioned above, in various implementations, an operating system, file management system, and/or other service (e.g., authentication service 311 and/or aspects of the data management system 150) can manage authentication and authorizations/permissions/privileges of a user.

Referring to FIG. 7A, at block 702 the system receives, from an analyst user, a request to access data assets associated with a purpose (e.g., as represented by a purpose object). At block 704, in response to receiving the request from the analyst user, the system generates a purpose access request object including at least an identification of the analyst user and an identification of the purpose object. Further, at block 704 the system provides an indication of the purpose access request object to a purpose sponsor user associated with the purpose/purpose object. At block 708, the purpose sponsor user may then review the request, and either approve or deny the request. If the request is denied, at block 710 that system updates the purpose access request object to include an indication of the denial. If the request is approved, at block 712 the system updates the purpose access request object to include an indication of the approval. Further, at block 714 the system grants the analyst user access to data assets associated with the purpose/purpose object.

As described above, in various implementations, access to data assets associated with a purpose may be granted using a role-based system. Referring to FIG. 7B, at block 762 the system receives a request to allow all analyst users of a certain role to access a purpose (e.g., as represented by a purpose object). At block 764, in response to receiving the request, the system generates a purpose access request object including at least an identification of the role and an identification of the purpose object. Further, at block 766 the system provides an indication of the purpose access request object to a purpose sponsor user associated with the purpose/purpose object. At block 768, the purpose sponsor user may then review the request, and either approve or deny the request. If the request is approved, at block 772 the system updates the purpose access request object to include an indication of the approval. Further, at block 774 the system grants all analyst users associated with the role access to data assets associated with the purpose/purpose object. In various implementations, user roles may be associated with user role objects, which may be associated purpose access request objects, to grant users associated with those roles access to the approved purposes. Alternatively, or in addition, upon approval of a role to access a purpose, relevant user objects may be associated with such purpose access request objects.

Referring to FIG. 7C, at block 722 the system receives, from the purpose sponsor user, a request to associate a data asset (as represented by a data asset object) with the purpose object. At block 724, in response to receiving the request from the purpose sponsor user, the system generates a data access request object including at least an identification of the purpose object and an identification of a data asset object associated with the data asset. Further, at block 726 the system provides an indication of the data access request object to a data asset owner user associated with the data asset/data asset object. As previously mentioned, if the data asset object associated with the data asset access request object is a derived data asset object, the system also provides an indication of the request to the original purpose sponsor and/or data asset owner, and/or all upstream purpose sponsors and/or data asset owners, as applicable. At block 728, the data asset owner user may then review the request, and either approve or deny the request. If the request is denied, at block 730 the updates the data access request object to include at least an indication of the denial. If the request is approved, at block 732 the system updates the data access request object to include at least an indication of the approval of the request. At block 734, the system filters the data within the data asset object according to instructions received from the data asset owner who approved the request. In some embodiments, the system may filter the data according to a pre-determined filtration rule without intervention by the data asset owner. Further, at block 736 the system associates the data asset object with the purpose object, and at block 738 the system grants the analyst user access to the data asset via the purpose/purpose object.

In an example, the purpose request object may be linked to an analyst user object associated with the analyst user, the purpose object may be linked to the purpose request object, the data access request object may be linked to the purpose object, and the data asset object may be linked to the data access request object. In a further example, the data asset may be associated with the purpose object by way of the purpose object being linked to the data access request object, and the data access request object being linked to the data asset object. In yet a further example, the analyst user may be associated with the purpose object by way of the purpose object being linked to the purpose access request object, and the purpose access request object being linked to the analyst user object.

In various implementations, the system may perform additional operations including: receiving an input from the purpose sponsor user requesting to view a graph view of objects associated with the analyst user, and in response to receiving the input, generating a graph view of objects associated with the analyst user. The graph view may include graphical nodes indicative of objects and graphical connectors indicative of links between the objects, wherein the objects associated with the analyst user include: an analyst user object associated with the analyst user, any purpose access request objects associated with the analyst user object, any purpose objects associated with any of the purpose access request objects, any data access request objects associated with any of the purpose objects, and any data asset objects associated with any of the data access request objects. In an example, in the graph view the purpose request object may be linked to the analyst user object, the purpose object may be linked to the purpose request object, the data access request object may be linked to the purpose object, and the data asset object may be linked to the data access request object.

In various implementations, the system may require that the purpose sponsor user provide a justification with the request to associate the data asset with the purpose/purpose object, and the justification may be included in the data access request object as metadata.

In various implementations, the system may require that that the analyst user provide a justification with the request to access data assets associated with the purpose/purpose object, and the justification may be included in the purpose access request object as metadata. The purpose access request object may further be associated with an access type provided by the analyst user, and the access type may affect permissions of the analyst user with respect to the data assets associated with the purpose object.

In various implementations, the system may filter a data asset according to a default minimization rule before associating the data asset object with a purpose object. Further, the system may allow the data asset owner user to filter a data asset before associating the data asset object with a purpose object. In various implementations, the filtered data asset may constitute a derived data asset generated in the purpose. Filtering may be applied on rows, columns, and/or the like. Such filtering may be automatic and may be based on a “scope” associated with the data asset, the purpose, and/or the like (and as further described herein).

As noted above, in various implementations the system may store an ontology or object model defining a plurality of object types and associated properties, and further defining relationships among the object types. The object types may include at least: an analyst user object type, a purpose access request object type, a purpose object type, a data access request object type, and a data asset object type. In the object model, the analyst user object type may not be related to the data asset object type. In various implementations, the ontology may define a plurality of different categories of purpose objects. A purpose object may be categorized based on various properties of the purpose object, including a purpose tag and/or purpose type.

Referring to FIG. 7D, at block 742 the system generates a purpose object (e.g., in response to a purpose sponsor user requesting to generate a new purpose). At block 744, the system associates a data asset object with the purpose object in response to approval of a data access request (which data access request may be generated in response to a request from the purpose sponsor user, and may be approved by a data asset owner user associated with the data asset associated with the data asset object). At block 746, the system stores information associated with the data access request as a data access request object. At block 748, the system associates an analyst user object with the purpose object in response to approval of a purpose access request (which purpose access request may be generated in response to a request from an analyst user associated with the analyst user object, and may be approved by the purpose sponsor user associated with the purpose object). At block 750, the system stores information associated with the purpose access request as a purpose access request object. At block 752, the system grants the analyst user associated with the user object access to the data asset associated with the data asset object when the analyst user indicates a purpose associated with the purpose object.

According to various implementations, the granting of access may be based on: (1) the association between the data asset object and the purpose object, and (2) the association between the user object and the purpose object. According to various implementations, a basis of the analyst user's access to the data asset may be auditable via at least the purpose access request, including metadata associated with the purpose access request. Further, according to various implementations, the data access request may be approved by a data asset owner user associated with the data asset object, the purpose access request may be approved by a purpose sponsor user associated with the purpose object, and the analyst user, the data asset owner user, and the purpose sponsor user are different persons. Further, according to various implementations, the system may enable users to configure various access requests to be automatically approved.

Advantageously, via the system purpose sponsor users may activate, modify, and deactivate purposes, thereby efficiently managing access of data from a purpose-based perspective.

IX. Example Interactive Graphical User Interfaces

FIGS. 9A-9C, 10A-10F, 11A-11B, 12A-12F, 13A-13E, and 14A-14K illustrate example interactive graphical user interfaces of the system, according to various embodiments. The examples user interfaces are provided for illustrative purposes to show various functionalities of the system. In other implementations, the interactive graphical user interfaces may include more or fewer elements, may be arranged differently, and/or may be combined or divided. As mentioned above, the various example interactive graphical user interfaces may be generated/provided by the access service 313 of the access management system 110, and/or another service or module of the system.

FIGS. 9A-9C illustrate example interactive graphical user interfaces related to an analyst user, among others, according to one or more embodiments. Referring to FIG. 9A, a user interface 902 includes a listing of purposes 904. The user interface shows, for each of the listed purposes, various metadata details (e.g., as may be included in properties of the associated purpose objects) including title, description, sponsor (e.g., associated purpose sponsor user), expiry timestamp, and purpose identifier (“Purpose ID”). Via the user interface 902, the analyst user may search for and/or filter the various purposes via filter/search tools 906. The listed purposes 904 may include purposes for which the analyst user has been approved, and/or any other purposes available for the analyst user to request access. In an implementation the system may indicate statuses of any purpose access requests submitted by the analyst user for any of the listed purposes.

Referring to FIG. 9B, a user interface 912 follows the user interface 902. In user interface 912, the analyst user has selected one of the listed purposes 914. Details related to the selected purpose are then displayed in the user interface in response to the analyst user's selection. The details (which may be found from the metadata of the related purpose object) include, in section 916, the title of the purpose, in section 922 a detailed description of the purpose, in section 924 other details, and in section 926, any data assets associated with or linked to the purpose. In the example user interface 912, four data assets are shown as linked to the purpose. Using button 920, the analyst user may select to review details related to the purpose in a different tab, in additional detail. Using button 918, the analyst user may request access to the purpose (e.g., causing the system to generate a purpose access request (and associated purpose access request object). Using buttons 917, the analyst user may view additional information related to administration of the purpose, and approval history related to the purpose.

Referring to FIG. 9C, a purpose access request user interface 930 is shown in response to the analyst user selecting button 918 from user interface 912. In the purpose access request user interface 930, the analyst user can select an access type, and provide a justification. The provided information can be added, as metadata, to a purpose access request object that may be generated when the analyst user selects the submit button. The selection of an access type can be used by the system to determine privileges/permissions/authorizations of the analyst user with respect to the data assets available in the purpose, if the user is granted access to the purpose.

FIGS. 10A-10F illustrate example interactive graphical user interfaces related to a purpose sponsor user, among other users, according to one or more embodiments. Referring to FIG. 10A, a user interface 1002 includes a listing of purpose access requests 1004. The listed purpose access requests 1004 include requests that have been directed to the logged in purpose sponsor user due to the purpose sponsor user being responsible for the purpose associated with the requests. The user interface shows, for each of the listed requests, various metadata details (e.g., as may be included in properties of the associated purpose access request objects) including access type, request justification, status, decision purpose, and/or the like. Via the sidebar, the purpose sponsor user may filter and search the various requests.

Referring to FIG. 10B, a user interface 1012 follows the user interface 1002. In user interface 1012, the purpose sponsor user has selected one of the listed purpose access requests 1014. Details related to the selected request are then displayed in the user interface in response to the purpose sponsor user's selection. The details (which may be found from the metadata of the related purpose access request object) include, in section 1016, the title of the request (including an indication of the associated purpose), in section 1020 a listing of an event history of the request (e.g., for each event, a user associated with the event and a listing of properties of the request object at the time), in section 1022 an indication of other objects linked to the request (e.g., the associated purpose object, and the associated analyst user object), and in section 1024, a listing of current properties of the request (e.g., including a decision maker, a justification, a status, and/or the like). Using buttons 1018, the purpose sponsor user may view comments related to the request. Using button 1026, the purpose sponsor user may approve the request (e.g., after reviewing the details of the request), or may deny the request. Referring the FIG. 10C, a user interface 1032 is shown in response to the purpose sponsor user selecting the comments button 1018. Via the user interface 1032, the purpose sponsor user can add comments to the request, which are stored with the purpose access request object. Additionally, the purpose sponsor user can attach files (e.g., emails or other documents) to provide additional context associated with the request, which are also stored with the purpose access request object. Thus, a contextual history of the request can be captured with the request object.

Referring to FIG. 10D, in an example the purpose sponsor user selects to deny the request, and the user interface 1042 is shown in response. The purpose sponsor user may provide a reason for the decision, and may select the submit button. Referring the FIG. 10E, after the request is denied, user interface 1052 shows that the history 1054 of the request is updated to reflect the denial event, and metadata of the purpose access request object changed as a result. Advantageously, the history 1054 of the request indicates whether or not the request was historically denied, meaning whether this request or any similar request (e.g., by the same analyst user and for the same or a similar purpose) was previously denied. Such information may be helpful to the purpose sponsor user for determining whether or not to grant the analyst user access to the purpose.

Referring to FIG. 10F, user interface 1062 shows a more detailed view of the section 1022 from the user interface 1012 of FIG. 10B. In the example more detailed view 1062, the user can expand the various linked objects to see further linked objects. For example, the linked analyst user object 1064 has been expanded to show a purpose object linked to the analyst user object (for which the analyst user has been approved), and other purpose access request objects linked to the analyst user object. Advantageously, via this section of the user interface, the purpose sponsor user can investigate linked objects to help make a determination whether or not to approve or deny the request. Additionally, via this section of the user interface the user can select any of the listed objects to view of more detailed view of the select object (e.g., detailed view of a purpose object as shown in FIG. 13D and described below).

FIGS. 11A-11B illustrate example interactive graphical user interfaces related to a purpose sponsor user and/or a data asset owner user, among other users, according to one or more embodiments. Referring to FIG. 11A, a user interface 1102 includes a detailed view of an analyst user object. The view includes metadata associated with the analyst user object, and indications of any objects linked to the analyst user object (which may be expanded to view further sub-linked objects, as described above). Similar user interfaces may be provided for other types of users of the system. In general, the user interface 1102 may be useful for a purpose sponsor user and/or a data asset owner user to review purpose access requests and/or data access requests and make decisions to approve or deny. The reviewing user can further select to view of a graph view of linked objects, as shown in user interface 1112 of FIG. 11B. As shown in user interface 1112, a graph view section 1114 includes visual indications (e.g., graphical nodes or icons) of the various linked objects, with links represented by graphical connectors. The user may select any of the objects in the graph view to view details (e.g., properties) associated with the selected object in the sidebar 1116. The user may also interact with the graph view and the displayed objects via moving, scrolling, zooming, and/or the like. As shown in the example graph view section 1114, the analyst user object 1120 is linked to two purpose access request objects 1122 and 1124. An indication of status of the request can be indicated on the link. The purpose access request objects 1122 and 1124 are linked to respective purpose objects 1126 and 1128. Each of those is further linked to related objects. For example, purpose object 1126 is linked to data asset object 1118 (in the example, data asset object 1118 is selected and detailed information is shown in the sidebar 1116), which is further linked to a data source 1130. Purpose object 1128 is linked to data asset objects 1132 and 1134, among other objects, and data asset objects 1132 and 1134 are linked to respective data sources 1138 and 1136. Via the graph view of the user interface, a purpose sponsor user and/or a data asset owner user can investigate linked objects to help make a determination whether or not to approve or deny various requests. Additionally, such user interfaces can enable a user to quickly determine all purposes that have access to a certain data asset, and all users that have access to those purposes. Such user interfaces can further indicate all requests associated with those purposes, assets, and users, and the user interface can color code those requests to indicate whether such requests were approved or denied, for example.

FIGS. 12A-12F illustrate example interactive graphical user interfaces related to a purpose sponsor, among others, according to one or more embodiments. Referring to FIG. 12A, a user interface 1202 includes a listing of purposes 1204 that are managed by a currently logged in purpose sponsor user. The user interface shows, for each of the listed purposes, various metadata details (e.g., as may be included in properties of the associated purpose objects) including title, description, sponsor (e.g., associated purpose sponsor user), expiry timestamp, purpose identifier (“Purpose ID”), and/or the like.

Referring to FIG. 12B, a user interface 1212 follows the user interface 1202. In user interface 1212, the purpose sponsor user has selected one of the listed purposes 1204. Details related to the selected purpose are then displayed in the user interface in response to the purpose sponsor user's selection. The user interface 1212 is similar to the purpose details shown in the user interface 912 of FIG. 9B, and the user interface 1212 may be shown in response to the user's selection of button 920 of the user interface 912. The details of the purpose object shown in user interface 1212 (which may be found from the metadata of the related purpose object) include, in section 1214, various details related to the purpose, and in section 1216, a listing of any data assets associated with or linked to the purpose. Using button 1218, the purpose sponsor user may add a purpose lead to the purpose (e.g., add a delegate or administrator to act on the purpose sponsor's behalf for the purpose). Using button 1220, the purpose sponsor user may update an expiry date associated with the purpose. The expiry date may be stored as metadata with the purpose object, and may cause the purpose to expire as of a particular date, and/or after a period of time. Upon or close to expiry of the purpose, the purpose sponsor user is prompted to review the purpose and either extend the expiry date, or allow the purpose to expire. Advantageously, the system may use expiration of purposes to ensure the purposes (and related data) do not become stale or get forgotten or lost in the system. Further, frequent reminders to users regarding the various purposes in the system may avoid duplication of similar purposes, and reconsideration of scope of data granted access in each purpose, or review of analyst users granted access in each purpose.

Referring to FIG. 12C, a user interface 1232 follows the user interface 1212 and in response to the purpose sponsor user selecting the “add data assets” button in the user interface 1212. The purpose sponsor user may use the button to create requests to add additional data assets to the selected purpose. In user interface 1232, the purpose sponsor user may view a listing 1234 of available data assets, and may scroll through the list or filter the list. After selecting one or more data assets, the purpose sponsor user may select the button 1236, which causes the system to generate one or more data access request objects (e.g., depending on the number of data assets selected; in an implementation a separate data access request object is created for each selected data asset). Referring to FIG. 12D, user interface 1242 enables the purpose sponsor to edit and submit a data access request object, including specifying the data asset, the purpose, and a justification. In various implementations, and as mentioned above, justifications may be required of users when creating various kinds of requests, such that a history of data access and associated reasons may be audited.

Referring to FIG. 12E, a user interface 1252 follows the user interface 1202 of FIG. 12A and in response to the purpose sponsor user selecting the “new purpose” button in the user interface 1202. The purpose sponsor user may use the button to create a new purpose. User interface 1252 enables the purpose sponsor user to edit and create a purpose request object, including specifying the purpose name, description, expiry date, purpose sponsor, visibility, and/or the like. In some embodiments, user interface 1252 may also be used by governance administrator users to create new purposes.

Referring to FIG. 12F, a user interface 1262 follows the user interface 1212 and in response to the purpose sponsor user selecting the “manage scope options” button in the user interface 1212 of FIG. 12B. User interface 1262 of FIG. 12F enables the purpose sponsor user to review and edit access scope options for the purpose, including, for example, options based on geography (e.g., “east”, “national”, “north”, “south”, “west”), sub-categories within an organization, and/or the like. Such “scope” options may associate a particular data scope with a purpose. Thereafter, when a data asset is associated with the purpose, the associated data scope may automatically be applied to the data asset. When a scope is applied to a data asset, automatic filtering may be applied to the data assets. Such filtering may include, for example, limiting types of data, or limiting to certain columns or rows. In the example of a geographic scope, the data asset may be filtered to only include data items associated with the associated geographic scope. Other types of scoping and/or data filtering may be applied to purposes and/or data assets also. In some embodiments, a purpose sponsor user may by default be authorized to apply any scope options to a purpose. Further, in some embodiments, the system may limit a particular purpose sponsor user to only being authorized to apply certain scope options to a purpose or to approve purpose access requests for purposes of a certain scope.

FIGS. 13A-13E illustrate example interactive graphical user interfaces related to a data asset owner user, among other users, according to one or more embodiments. Referring to FIG. 13A, a user interface 1302 includes a listing of data assets 1304 that are managed by the currently logged in data asset owner user. The user interface shows, for each of the listed data assets, various metadata details (e.g., as may be included in properties of the associated data asset objects) including title, data asset identifier (“Data Asset ID”), data protection considerations, granularity of data, and/or the like.

Referring to FIG. 13B, a user interface 1312 includes a listing of data access requests 1314. The listed data access requests 1314 include requests that have been directed to the logged in data asset owner user due to the data asset owner user being responsible for the data asset associated with the requests. The user interface shows, for each of the listed requests, various metadata details (e.g., as may be included in properties of the associated data access request objects) including purpose, requestor, request justification, status, and/or the like. Via the sidebar, the data asset owner user may filter and search the various requests.

Referring to FIG. 13C, a user interface 1322 follows the user interface 1312. In user interface 1312, the data asset owner user has selected one of the listed data access requests 1314. Details related to the selected request are then displayed in the user interface in response to the data asset owner user's selection. The details (which may be found from the metadata of the related data access request object) include, in a top portion of the user interface, the title of the request (including an indication of the associated purpose), in section 1326 a listing of an event history of the request (e.g., for each event, a user associated with the event and a listing of properties of the request object at the time), in section 1328 an indication of other objects linked to the request (e.g., the associated purpose object, the associated purpose sponsor object, and other related data asset objects), and in section 1330, a listing of current properties of the request (e.g., including a decision maker, a justification, a status, and/or the like). Using buttons 1324, the data asset owner user may view or add comments related to the request (e.g., in a similar fashion to the addition of comments and/or attachments as described above in reference to FIG. 10C). Using buttons 1332, the data asset owner user may approve the request (e.g., after reviewing the details of the request), or may deny the request. Section 1328 of the user interface 1322 may be expanded similarly to the functionality described above in reference to FIG. 10F.

Referring to FIG. 13E, a user interface 1352 follows the user interface 1312. In user interface 1312, the data asset owner user has selected one of the listed data access requests 1314. Details related to the selected request are then displayed in the user interface 1352 in response to the data asset owner user's selection. The details (which may be found from the metadata of the related data access request object) may include, in a top portion of the user interface, the title of the request, the data asset and purpose associated with the request, the analyst user making the request, the status of the request, a justification for approval or denial of the request, and a justification for the request. The bottom portion 1354 of the user interface includes data minimization or filtering details. Portion 1354 includes a listing of columns 1356 of the data asset associated with the data access request. The data asset owner user may select one or more columns by selecting the checkbox next to each column. If the data access request is approved, any unselected columns may be filtered from the data asset when it is added to the applicable purpose. In some embodiments, some columns may be pre-selected according to a default data minimization or filtering rule, such as a scope (e.g., a scope associated with the purpose related to the data access request). Furthermore, user interface portion 1354 includes further row-based filtering options 1358. The data asset owner user may edit options 1358 to apply data minimization or filtering to the rows of the data asset. As with the column-based data minimization or filtering, the row-based data minimization or filtering may be pre-selected according to a default data minimization or filtering rule, such as a scope (e.g., a scope associated with the purpose related to the data access request). Other types of data minimization or filtering may similarly be applied to data assets associated with data access requests, purposes, and/or the like. If the data asset access request is approved, any unselected rows may be filtered from the data asset when it is added to the applicable purpose. Using button 1360, the data asset owner user may save changes made to the filtering of rows and columns.

User interfaces 1352 (described in FIG. 13E above) and 1322 (described in FIG. 13C above) may be utilized interchangeably. Furthermore, any or all of the elements found in either user interface 1352 or user interface 1322 may be combined or used interchangeably, or any other elements related to properties of the selected data access request may be included. In various implementations, user interfaces similar to those of FIGS. 13C and 13E may be provided for purpose access requests, or other similar data objects of the system.

Advantageously, the data asset owner user may review other data assets associated with the purpose, and may thereby evaluate the effect of joining the current data asset with the existing data assets in the purpose. For example, the data asset owner user may determine that joining the current data asset with the existing data assets may have the effect of de-anonymizing pseudo-anonymized data in one of data assets. Thus, the data asset owner user may decide to deny the request.

Also advantageously, the user interface 1322 can include a history of the request in section 1326, which may be updated as a result of various events (similar to functionality described above in reference to FIG. 10E.

In the user interface 1322, the data asset owner user may select various ones of the listed objects in 1328 to view details related to the object. For example, the data asset owner user may select purpose object 1334 to cause the 1342 of FIG. 13D to be displayed showing details regarding the selected purpose object. User interface 1342 is similar to the user interface 912 of FIG. 9B.

FIGS. 14A-14K illustrate example interactive graphical user interfaces related to a governance administrator user, among other users, according to one or more embodiments. Referring to FIG. 14A, a user interface 1402 includes a listing of purposes 1404 that are the most used purposes within an organization, and a listing of data assets 1406 that are the most used data assets within an organization.

Referring to FIG. 14B, a user interface 1412 follows the user interface 1402 and in response to the governance administrator user selecting the “throughput explorer” button in the user interface 1402. User interface 1412 includes a chart graphic 1414 showing statistics on the approval status of various user requests to access purposes, a chart graphic 1416 showing statistics on the approval rates of purpose requests over time, and a listing of purposes 1418 with additional approval statistics including the average days to decision for approval/denial of purpose access requests and the associated rejection rates. Other statistical information may also be provided by the system in the user interface. The information shown in the user interface may be determined by the system by aggregating data and metadata associated with various purpose access request objects. Similar user interfaces may be provided for data access requests. The user of user interface 1412 may drill down into specific request objects and/or groups or request objects to further analyze the statistical information. Using these interfaces, the system advantageously enables a user to evaluate possible bottlenecks or issues with the approval processes of the system.

Referring to FIG. 14C, a user interface 1422 follows the user interface 1412 and in response to the governance administrator user selecting a purpose in list 1418 (and/or via other drill downs in the user interface 1412). The user interface 1422 includes details associated with the selected purpose (including, e.g., various information associated with the applicable purpose object), and a listing of alerts 1424 associated with the selected purpose. Alerts may be generated by the system based on various criteria, as further explained herein. Furthermore, alerts may be configured to require some action by a user before performing an action. For example, an alert may be configured to stop an analyst user from accessing a data asset until an alert is acknowledged and/or approved. In some embodiments, the system may automatically generate alerts based on certain criteria; for example, if a certain data asset access request is routinely being denied, the system may automatically generate an alert with a suggestion to create a derived data asset.

Referring to FIG. 14D, a user interface 1432 follows the user interface 1422 and in response to the governance administrator user selecting an alert from list 1424. The user interface 1432 includes a list of suggestions 1434 regarding the purpose with respect to the selected alert, and a list of recent purpose access requests associated with the purpose 1436. The user interface shows, for each of the listed purpose access requests, various metadata details (e.g., as may be included in properties and/or associations of the associated purpose access request objects) including title, approval status, a justification for the request, a justification for the decision made regarding approval or denial of the request, and/or the like. Advantageously, the data provided by the system in connection with the alert enables a user to quickly understand the basis of the alert, and determine ways to resolve or mitigate any negative effects represented by the alert.

Referring to FIG. 14E, a user interface 1442 follows the user interface 1402 and in response to the governance administrator user selecting the “audit explorer” button in the user interface 1402. User interface 1442 includes statistics on active purposes, data assets, and users 1444, a graphic showing statistics on purpose usage 1446, and a graphic showing statistics on data asset usage 1448. Advantageously, the data provided by the system in connection with these graphics may enable a user to quickly identify notable trends in data asset usage across an organization.

Referring to FIG. 14F, a user interface 1452 follows the user interface 1442 and in response to the governance administrator user selecting the “data access exploration” tab in the user interface 1442. User interface 1452 includes a dropdown menu 1454 that enables the governance administrator user to select a specific data asset, a listing of purposes 1456 approved to use the selected data asset, and a listing of analyst users 1457 approved to access purposes that include the selected data asset. The user interface shows, for each of the listed purposes, various metadata details (e.g., as may be included in properties and/or associations of the associated purpose, data asset, or data access request objects) including title, a justification for the associated data asset access request for the selected data asset, a justification for approval of associated data asset access request for the selected data asset, a timestamp of when the associated data asset access request was approved, and/or the like. The user interface further shows, for each of the listed analyst users, various metadata details (e.g., as may be included in properties and/or associations of the associated purpose, data asset, data access request, or user objects) including name, the associated purpose through which the user has access to the selected data asset, a justification for the associated purpose access request purpose through which the user has access to the selected data asset, a justification for the approval of the associated purpose access request purpose through which the user has access to the selected data asset, a timestamp of when the associated purpose access request was approved, and/or the like. Advantageously, user interface 1452 may enable a user to quickly identify and review recently approved purpose access requests and data asset access requests associated with a specific data asset.

Referring to FIG. 14G, a user interface 1462 follows the user interface 1442 and in response to the governance administrator user selecting the “user access explorer” tab in the user interface 1442. User interface 1462 includes a dropdown menu 1464 that enables the governance administrator user to select or search for a specific analyst user, a listing of purposes 1466 that the selected analyst user is approved to access, and a listing of data assets 1468 that the selected analyst user is approved to access. The user interface shows, for each of the listed purposes, various metadata details (e.g., as may be included in properties and/or associations of the associated objects) including title, a justification for the associated purpose access request for the selected analyst user, a justification for approval of associated purpose access request for the selected analyst user, a timestamp of when the associated purpose was, and/or the like. The user interface further shows, for each of the listed data asset, various metadata details (e.g., as may be included in properties and/or associations of the associated objects) including title, the associated purpose through which the selected analyst user has access to the data asset, a justification for the associated purpose access request purpose through which the selected analyst user has access to the data asset, a justification for the approval of the associated purpose access request purpose through which the selected analyst user has access to the data asset, a timestamp of when the associated purpose access request was approved, and/or the like. Advantageously, user interface 1462 may enable a user to review an analyst user's access to purposes and data assets.

Referring to FIG. 14H, a user interface 1472 follows the user interface 1402 and in response to the governance administrator user selecting the “governance rails application” button in the user interface 1402. User interface 1472 includes a listing of purposes 1474. The user interface shows, for each of the listed purposes, various metadata details (e.g., as may be included in properties of the associated purpose objects) including purpose title, purpose tags, purpose description, purpose sponsor user, and/or the like. User interface 1472 also includes a sidebar 1476 that enables the governance administrator user to filter the list of purposes based on various metadata details, such as purpose tag or purpose type. Advantageously, user interface 1472 may enable a user to quickly search through and identify existing purposes by purpose tag or purpose type.

Referring to FIG. 14I, a user interface 1482 follows the user interface 1472 and in response to the governance administrator user selecting one or more purposes from listing 1474 and selecting the “add tags” button in the user interface 1472. The governance administrator user may use the button to add tags to the selected purpose. For example, in various implementations, a specific purpose may be tagged as “high risk.” User interface 1482 enables the governance administrator user to edit a purpose object, including specifying one or more tags to add as properties of the purpose object. Tags added to a purpose may advantageously enable the efficient application of rules to object metadata to generate alerts, as further described herein.

Referring to FIG. 14J, a user interface 1492 follows the user interface 1472 and in response to the governance administrator user selecting the “rules” tab in the user interface 1472. The governance administrator user may use the tab to create and edit rules governing the system and based on which the system may generate alerts. In various implementations, such rules may act as technical safeguards that ensure that an organization is complying with internal policies or legal imperatives. User interface 1492 enables the governance administrator user to create or edit a rule, including specifying one or more conditions 1494 that trigger the rule, and specifying one or more actions 1496 for the system to take if the aforementioned conditions are satisfied. For example, in the example illustrated by FIG. 14J, the governance administrator user is creating a rule for data access requests; however, the governance administrator user may also create rules for any object type described herein. The governance administrator user may specify conditions that trigger the rule; in the example illustrated by FIG. 14J, the governance administrator user has designated two conditions that must both be satisfied: the purpose associated with the data access request has been tagged as high risk and the data asset associated with the data access request has been tagged as an “AI” data asset. Further, the governance administrator user may specify actions for the system to take if the conditions are satisfied. For example, in the example illustrated in FIG. 14J, the governance administrator user has designated that when both conditions are met for a data asset access request, the system will create a data asset request alert. Alerts conditions may be applied as alternatives (e.g., “or”) in addition to “and”, in any combination. Similar alerts may be specified and applied by the system to purpose access request objects, and the like. The system displays alerts to appropriate users (e.g., data asset owners, purpose sponsors, and/or governance users) so that the users may take action to, e.g., prevent sharing certain types of data, cautiously consider certain types of requests, and/or the like.

Referring to FIG. 14K, a user interface 1498 enables the governance administrator user to view and compare multiple users' access permissions. The user interface shows and compares, for each user, various metadata details (e.g., as may be included in properties of the associated user objects) including name, associated purpose objects that the user has access to, and/or the like. Such information may advantageously allow a user to quickly determine when certain analyst user's access permissions are incorrect, or beyond the scope of their positions. Such information may also advantageously enable onboarding of new users to have the same access permissions as another user. In some embodiments, user interface 1498 may further advantageously enable a governance administrator user to immediately approve, for a first analyst user, access to some or all of the permissions that a second analyst user has access to.

X. Purpose-Based Checkpoints on User Actions

FIG. 15A shows a block diagram including an example computing environment 1500 for controlling user actions using checkpoints, according to one or more embodiments. The computing environment 1500 includes a front-end asset for service S 1502, a checkpoints service 1505, an example service S 1506, and a checkpoints component library 1508. The computing environment 1500 can comprise a portion of, be implemented in, or be the same as, the computing environment 111 described above, and can include some or all of the components, features, and characteristics of the computing environment 111, according to various implementations. For example, one or more of the front-end asset for service S 1502, checkpoints service 1505, example service S 1506, or checkpoints component library 1508 may be implemented in one or more of the access management system 110, the data management system 150, or a user device such as the computer system 301, among other components of the computing environment 111. In an implementation, the front-end asset for service S 1502 and checkpoints component library 1508 are implemented in computer system 301 (and/or transmitted to computer system 301 by access management system 110 and/or the data management system 150 to be executed, for example, in a web browser on computer system 301), example service S 1506 is implemented in the data management system 150, and the checkpoints service 1505 is implemented in the access management system 110. In various embodiments, the front-end asset for service S 1502 and example service S 1506 together comprise a data interaction service 315 that may provide various users with interactive user interfaces for interacting with data assets, e.g., data assets associated with a purpose/“project”. In various implementations, the “checkpoint” systems and methods of the present disclosure may be used with interactive user interfaces and applications for interacting with data assets even without an associated purpose/“project”.

As described herein, the checkpoints service 1505, optionally in combination with the checkpoints component library 1508, provides functionality for providing purpose-based checkpoints on user actions. The checkpoints component library 1508 may comprise an asset or library that provided front-end functionality (e.g., dialogs and other checkpoint-related interactions) to implement the user interactions and various checkpoint functionality described herein.

Examples of actions include, but are not limited to, downloading or exporting data, uploading or importing data, duplicating data, accessing data, elevating permissions, logging in, accepting end-user license agreements (“EULAs”), and/or the like. As with the purpose-based access functionality described above, the purpose-based checkpoints functionality of the system may be based on a data object model (described in further detail below, e.g., in reference to FIGS. 17A-17B), and may be integrated into an access control framework such that analyst users cannot perform actions without proceeding through a well-defined process that (1) improves administrative/governance users' visibility into actions being and the purposes of those actions, (2) aids in accountability by providing well-defined roles and capturing metadata that is useful for audit, (3) may be efficiently configured by administrative/governance users, among other advantages. Unlike systems that implement only authentication and authorization/permissions, the system described herein can checkpoint and log when and why authenticated and authorized users perform certain actions, and ensure that users are authorized to perform certain actions for a selected purpose, among other advantages. This can be accomplished, for example, by capturing a contextual history of actions directly in checkpoint record objects associated with the actions.

In the context of purpose-based checkpoint functionality of the system, in addition to analyst users that perform actions, the system may include an administrative/governance user (herein referred to as an “admin user” or “governance administrator user”) role. Admin users create checkpoints and review checkpoint records subject to their own permissions and scope of responsibility, as described herein. Admin users each have the ability to assign delegates or other administrators for acting on their behalf for various types of requests. In some embodiments, the roles of governance administrator user, purpose sponsor user, and admin user may overlap partially or fully, or a single one of these roles may fulfill the responsibilities of all.

The following is an example workflow of the system as related to purpose-based checkpoints: Admin user creates a new checkpoint configuration associated with certain actions, and optionally scoped to certain user(s) and/or certain resource(s). Analyst user seeks to perform an action associated with a checkpoint, and as prompted according to a checkpoint configuration. Analyst user responds to the checkpoint appropriately, and the response is recorded in a checkpoint record and the action proceeds. Admin user may review the checkpoint record.

Referring again to FIG. 15A, example numbered interactions among the components shown in computing environment 1500 will now be described. The following interactions are an example implementation, and other implementations are contemplated. At interaction 1/1′, when a user interacting with the front-end asset for service S 1502 requests to perform an action, the front-end asset for service S 1502 communicates with the checkpoints service 1505 to check if any checkpoints (e.g., checkpoint config objects) are associated with the particular action, e.g., whether any prompts should be shown to the user. Determining whether a checkpoint is associated with a particular action can be based on various checkpoint configuration information (e.g., as stored or configured by a checkpoint config object) including, for example, an organization associated with the checkpoint, a type of the checkpoint, one or more conditions of the checkpoint, and/or any combination of the foregoing and/or the like. If so, and assuming frequency criteria associated with the checkpoint are also satisfied, a checkpoint prompt (e.g., a user interface dialog, such as a prompt, modal, popup, and/or other similar interactive user interface) is shown to the user (e.g., using the checkpoints component library 1508).

At interaction 2/2′, assuming a checkpoint prompt is shown to the user, one or more user inputs (e.g., responses) are received from the user via the checkpoint prompt. The user's response is compared to criteria associated with the checkpoint config object. If the criteria are satisfied, the user's response is accepted, the user response and other information associated with the checkpoint may be communicated to and stored by the checkpoints service 1505 in a checkpoint record object. In other words, the checkpoints service 1505 may generate a checkpoint record object, and access and store information associated with the request and the checkpoint interactions (including, for example, a unique identifier associated with the related checkpoint config object, the creation time, a user identifier, the user input, indications of data assets or resources associated with the request (e.g., the “checkpointed item/resource”), and/or the like) with the checkpoint record object. This may include, for example, the checkpoints service 1505 accessing or querying example service S 1506 and/or another service or data source for information about the checkpointed item/resource. Further, the checkpoints service 1505 may generate a unique identifier associated with the checkpoint/request and may include that with the checkpoint record object. The checkpoints service 1505 may optionally provide the unique identifier associated with the checkpoint record object back to the front-end asset for service S 1502.

At interaction 3, front-end asset for service S 1502 communicates with the example service S 1506, e.g., via an API request and response, to initiate or perform the action requested by the user. The communication may optionally include the unique identifier associated with the checkpoint record object that was returned in interaction 2/2′. Before proceeding to perform the action, at interaction 4/4′ the example service S 1506 communicates with the checkpoints service 1505 to confirm that the user has satisfied the criteria associated with the checkpoint. The checkpoints service 1505 uses the unique identifier to verify that a legitimate checkpoint was created, and that the applicable criteria are satisfied. If the unique identifier corresponding to the checkpoint is empty, the service verifies to see that this action was not configured to require a checkpoint. The example service S 1506 may request the user's auth header and the (optional) unique identifier corresponding to the checkpoint. In response, the checkpoints service 1505 may indicate whether the action can proceed, based on whether the checkpoint had really been created and the criteria satisfied, or if the checkpoint was not actually required. If the checkpoint is satisfied, then example service S 1506 proceeds with performing the requested action.

In interaction 5, if necessary, the example service S 1506 updates the checkpoints service 1505 with information associated with the checkpoint, which information may then be stored with or in the checkpoint record object. Accordingly, the checkpoint record object may be enriched with information associated with the checkpoint. Such information that may be important to store for data protection purposes. For example, for an action that creates a resource, this post-action update may include the unique identifier of the resource that was created. Additional examples of such information include a resource name, a resource location, historical details associated with the resource, and/or the like. Such enrichments may also be accomplished via the checkpoints service 1505 querying one or more other services or data sources for information related to the checkpoint, the associated resource, and/or the like.

Advantageously, the architecture of the system may enable: (1) checkpoint integrity, meaning that the architecture can enforce that every sensitive action taken by a user requires a checkpoint; (2) checkpoint completeness, meaning that in interaction 5, the service S (and/or another service or data source) can provide additional detail to the checkpoints service if needed; (3) low design complexity, meaning that the design is efficient to implement and execute; (4) ease of product integration, meaning that it can be efficient for products to integrate, as they just need to use the checkpoints frontend library, and only adding an optional unique identifier into the API; and (5) streamlined checkpoints configurability, meaning that all configuration can be stored centrally in the checkpoints service, as the frontend asset will query checkpoints service for information on what to display.

In an implementation, in interaction 4/4′, the system may check “approvals” for a checkpoint, e.g., for a proper purpose provided by the user (as described above).

FIG. 15B shows a flowchart illustrating example operations of an access management system, according to one or more embodiments. The blocks of the flowchart illustrate example implementations, and in various other implementations various blocks may be rearranged, optional, and/or omitted, and/or additional block may be added. The example operations of the system illustrated in FIG. 15B may be implemented, for example, by the checkpoints service 1505 and/or various aspects of the computing environment 1500, the access management system 110, and/or the data management system 150, and such operations may follow authentication of a user (such as described with reference to FIG. 4). As mentioned above, in various implementations, an operating system, file management system, and/or other service (e.g., authentication service 311 and/or aspects of the data management system 150) can manage authentication and authorizations/permissions/privileges of a user. Additionally, the operations described below in reference to FIG. 15B correspond to, and/or align with or augment, the interactions and functionality described above in reference to FIG. 15A.

Referring to FIG. 15B, at block 1522 the system receives, from an analyst user, a request to perform an action (which may be associated with an example service S, as described above in reference to FIG. 15A). At block 1524, in response to receiving the request from the analyst user, the system determines whether any checkpoints (e.g., checkpoint config objects, as described below) are associated with the action. This determination may be based on various checkpoint configuration information defined by the checkpoint config object, as described below. Such checkpoint configuration information may include, for example, an organization associated with the checkpoint, a type of the checkpoint, one or more conditions (or “matchers”) of the checkpoint, and/or any combination of the foregoing and/or the like. If so, at block 1525, the system may also determine whether frequency criteria associated with the checkpoint are satisfied, if applicable. Such frequency criteria may indicate, for example, a frequency with which any given analyst user should see the checkpoint. By default, the checkpoint frequency may be set to zero. When set to zero, the checkpoint will show every time any given analyst user takes an action that meets the various checkpoint configuration information. When set higher than zero, the checkpoint will show only if it has not been shown to any given analyst user within the last period of time specified by the checkpoint frequency criteria (e.g., within the last number of minutes, hours, days, weeks, months, and/or the like). In various implementations, rather than a period of time, the admin user may specify a particular number of times that the action is invoked by a given analyst user. Thus, for example, a checkpoint may only activate every other, or every 5 or 10 (or some other number) times that the user performs the checkpointed action. Not satisfying the checkpoint frequency criteria means that the checkpoint prompt need not be displayed to the user.

If the checkpoint configuration information indicates a match or association with the action being taken, and the checkpoint frequency criteria are satisfied, at block 1526, the system causes display of a checkpoint dialog to the user based on the checkpoint config object. The checkpoint may include a requirement that certain information be provided by the analyst user, that certain responses be provided, and/or that certain purposes be provided/met. One or more of these, and/or other type of information, may comprise “criteria” of the checkpoint config object that are to be satisfied for the analyst user to be allowed to proceed with the action. At block 1527, the user provides an input to the checkpoint dialog (which input may comprise, for example, a written input, a selection from a dropdown, an acknowledgement, and/or the like). At block 1528, if the criteria are not satisfied, at block 1530 the analyst user is not allowed to perform the requested action. If the criteria are satisfied, at block 1532 the system generates a checkpoint record object with information associated with the checkpoint (which may include, for example, information associated with the action and/or checkpointed resource, e.g., received from an example service S associated with the action, as described above in reference to FIG. 15A), and at block 1534 the analyst user is allowed to proceed with the requested action (which may include, for example, communications with an example service S, as described above in reference to FIG. 15A). In various implementations, when the analyst user is not allowed to perform an action, the system may still generate a checkpoint record object with information associated with the checkpoint, including information regarding the criteria not being satisfied. In various implementations, generating the checkpoint record object may include one or more queries of information to enrich the checkpoint record object. The information by which the checkpoint record object may be enriched may include, for example, a resource name, a resource location, historical details associated with the resource, and/or the like. Such queries may include queries of the service associated with the action, and/or other services or data sources. Examples of information that may be added to the checkpoint record object are described or shown below in reference to various figures, including, for example, FIGS. 17B, 19A, and 19J.

In various implementations, checkpoints may support approval-based workflows. In these implementations, the checkpoint “criteria” may accordingly comprise an approval by another user, e.g., an admin user. That is, once a user submits a justification in response to a checkpoint, the system then kicks off a request (or multiple requests) for approval. Such a request may comprise a notification or alert to, e.g., an admin user or some other supervisory or eligible user, requesting that the admin user approve the user's action request. Once the request (or multiple requests) is approved, then the user can proceed with the requested action. Such functionality may be useful, for example, for particularly sensitive actions. In some cases, the checkpoint may not include a justification, but may simply kick off the approval process. In these implementations, the initial checkpoint request may generate a checkpoint record object that includes a “pending approval” status. The corresponding checkpoint config object may specify the approver specification, which may include a list of eligible approvers (or types of eligible approvers) and how many approvals are required to authorize the action. The approvers can mark an approval request as “approved” or “rejected”. In both cases, the checkpoint record object is updated with all information regarding the approval requests and the responses received from the approvers. If a user approves the issue but there are still more approvals required, the checkpoint record object may remain in “Pending” state, but may record the approvals that have come in. If a user approves the issue and no more approvals are required, the checkpoint record object is changed to an “Approved” state. If a user rejects the issue, the checkpoint record object is changed to a “Rejected” state (and the user requesting the action will not be allowed to proceed). In some implementations, once a user requesting an action has an approved checkpoint for the action, they can retry the action and they will proceed; no checkpoint will be shown (e.g., because it has been approved). Proceeding with the action may, for example, use up the approval and then the approved checkpoint will be marked as expired. In this case, the next time the user tries the action, they will be prompted with another request for approval checkpoint and the approval workflow can start again.

In various implementations, the checkpoint approvals flow described above may also support “expirations”. In these implementations, each approval can persist through multiple attempts at performing a checkpointed action until an expiration condition is met. Expiration conditions can include, for example, time-to-live (checkpoint approval is valid for a certain time duration), a number of use (checkpoint approval is valid only for a set number of sensitive action operations), and/or the like.

FIGS. 16A-16D illustrate example interactive graphical user interfaces related to providing purpose-based checkpoints, according to one or more embodiments. The examples user interfaces are provided for illustrative purposes to show various functionalities of the system. In other implementations, the interactive graphical user interfaces may include more or fewer elements, may be arranged differently, and/or may be combined or divided. As mentioned above, the various example interactive graphical user interfaces may be generated/provided by any combination of the front-end asset for service S 1502, the checkpoints component library 1508, the checkpoints service 1505, the access service 313 of the access management system 110, and/or other services or modules of the system. FIGS. 16A-16D illustrate example interactive graphical user interfaces related to an analyst user, among others, according to one or more embodiments.

Referring to FIG. 16A, the example user interface shows an analyst user's files, and via a button of the user interface the user is selecting to perform an action. In this example, the user is selecting to upload a file, however checkpointed action may include various other types of user actions, such as downloading or exporting data, uploading or importing data, duplicating data, accessing data, elevating permissions, logging in, accepting end-user license agreements (“EULAs”), and/or the like. Referring to FIG. 16B, in response to the user requesting to upload a file, the system determines that a checkpoint configuration is associated action being taken by the user (and that the frequency criteria are satisfied, if applicable), and therefore generates and displays a checkpoint dialog, which may comprise a popup overlayed on the example user interface of FIG. 16A. As shown in FIG. 16B, the checkpoint may provide the user with a notice and description of a data import restriction. The user may be required to affirmatively check the checkbox indicating that the data to be uploaded conforms to an import policy. After checking the checkbox, the checkpoint criteria may be satisfied, and thus the user may be allowed to proceed with the data upload/import. While not displayed in the user interface, as described above, the system creates a checkpoint record object with information associated with the checkpoint interaction.

Referring to FIG. 16C, another example user interface shows an analyst user viewing properties associated with some data. Via a button of the user interface the user is selecting to perform an action. In this example, the user is selecting to export the data. Referring to FIG. 16D, in response to the user requesting to export the data, the system generates and displays a checkpoint dialog (based on the user's action matching a checkpoint config object), which may comprise a popup overlayed on the example user interface of FIG. 16C. As shown in FIG. 16D, the checkpoint may provide the user with a notice and description of a data export restriction. The user may be required to affirmatively type certain information into a text box. Such information may indicate agreement, and/or a purpose for the data export. After typing the text, the checkpoint criteria may be satisfied, and thus the user may be allowed to proceed with the data export. While not displayed in the user interface, as described above, the system creates a checkpoint record object with information associated with the checkpoint interaction.

As mentioned above, and as further described below, the checkpoint may further include an indication and verification of a purpose. Further, various types of criteria may be specified for various types of actions. Such flexibility in the system may advantageously be enabled by the checkpoint object model further described herein.

Additionally, as also described herein, information associated with the analyst user encountering and responding to a checkpoint can be stored in a checkpoint record, which advantageously can enable auditing of, and an admin user to review, checkpoint activity.

FIG. 17A shows an example block diagram including additional details of a computing environment for configuring checkpoints, according to one or more embodiments. As shown, and as mentioned above, the checkpoints service 1505 may be implemented in the access management system 110, and may be included in the computing environment 111 and/or computing environment 1500. Additionally, in various implementations, the checkpoints service 1505 may include a checkpoints configuration service 1702 that may provide functionality for configuring checkpoints. Further, the system may include a checkpoints configurations and records data store 1704, that may comprise any type of data store(s) or database(s) that may store checkpoint configurations (e.g., checkpoint config objects) and checkpoint records (e.g., checkpoint record objects). In various implementations, the checkpoints configurations and records data store 1704 may be integrated with and/or separate from the dataset(s) 156 and/or database(s) 109. Example functionality provided by the checkpoints service 1505 and/or the checkpoints configurations and records data store 1704 (and in conjunction with other components of the system) is described below.

FIG. 17B shows an example object model for managing or controlling user actions with checkpoints, according to one or more embodiments. Similar to, and optionally as an extension of, the object model described above for purpose-based access controls, the system can include an object model for providing the checkpoints functionality. As shown in FIG. 17B, data object types of the object model include checkpoint config objects 1712 and checkpoint record objects 1714. As with the object model described above, the system can create instantiations of the object types shown in FIG. 17B in association with generating checkpoints for actions (checkpoint config objects), and analyst users interacting with checkpoint when taking actions (checkpoint record objects).

As illustrated in FIG. 17B, each instantiation of a checkpoint config object 1712 may include various properties associated with a checkpoint configuration, including for example, various checkpoint configuration information, frequency criteria, and/or the like. Such information may include, for example, organization unique identifier, checkpoint type, conditions (e.g., matcher/exemption matchers), name/description, justification spec, prompt language, frequency criteria, attribution, history, purpose (may link to purpose object), and/or the like. Various of these properties are useful for functionality of the checkpoints as described below, including for determining whether a checkpoint is associated with a user's action. For example, the checkpoint type may be used to specify the type of action associated with the checkpoint. As another example, the justification spec, purpose, and/or the like may comprise checkpoint “criteria” that must be satisfied by the user to proceed with an action. History may be used to track changes made to a checkpoint config. Also, as also described below, checkpoint configurations may be scoped to particular organizations, teams, projects, and/or the like, and thus the checkpoint config object can include, e.g., an organization unique identifier (and/or other types of unique identifiers).

As also illustrated in FIG. 17B, each instantiation of a checkpoint record object 1714 may include various properties associated with a checkpoint record, including for example, checkpoint record object unique identifier, checkpoint config object unique identifier, creation time, acting user, user input/justification, checkpointed item/resource information, and/or the like. Accordingly, a checkpoint record object may be linked to at least a corresponding checkpoint config object and a resource associated with the executed checkpoint.

In an implementation, changes to a checkpoint config (e.g., as tracked by the history property) may generate new checkpoint config object unique identifiers such that checkpoint record objects may link to the version of the checkpoint config object that existed as of the time the checkpoint record object was created.

As noted above, the checkpoint config object may include one or more conditions (also referred to herein as “matchers”, “exemption matchers”, and/or the like) of the checkpoint. Such conditions may indicate which user actions should cause activation of the particular checkpoint, and may optionally override other checkpoint configuration information. Thus, when analyst users request actions, the system (e.g., the checkpoints service 1505) can use, in addition to the checkpoint types, the conditions of the various checkpoint config objects of the system to determine whether to initiate checkpoints. The matchers and/or exemption matchers can allow specification of conditions under which a checkpoint should activate. For example, if all matchers in the checkpoint config are satisfied, the checkpoint is activated. Such matchers can include location matchers, principal matchers, and marking matchers. Location matchers can include a location scope of the checkpoint config, such as within a system, project, namespace, or resource. Principal matchers can include a user scope of the checkpoint config, including certain groups or users. Marking matchers can scope the checkpoint config to resources that have a certain marking. Additionally, the checkpoint config can include “exemption” matchers, which can include any of the example types of matchers describe above, but which, if satisfied, the checkpoint is not activated.

FIG. 17C illustrates an example of one or more data stores with example data in various groups, projects, scopes, and/or the like, according to one or more embodiments. As shown, the “tenant” or “organization” in the example is “schools”. Within that organization, multiple namespaces existing, including “School 1” and “School 2”. Within School 2, there are multiple groups of users, and multiple groups of data (e.g., house 1, house 2, etc.). Further, within each group of data, there are multiple sub-groups, such as prefects and pupils, and related data items/files within those sub-groups of data. The following are example checkpoint config object properties that may cause activation of a checkpoint in different situations in the context of the example of FIG. 17C.

Example 1: House 1 Data Export

-   -   Organization: Schools     -   Checkpoint Type: Data Export     -   Matchers:         -   Location Matcher: {House 1, Project}

Example 2: Data Export for Tenant Except House 1

-   -   Organization: Schools     -   Checkpoint Type: Data Export     -   Matchers:         -   Exemption Matcher:             -   Location Matcher: {House 1, Project}

Example 3: Data Export for School 2 Except House 1

-   -   Organization: Schools     -   Checkpoint Type: Data Export     -   Matchers:         -   Location Matcher: School 2         -   Exemption Matcher:             -   Location Matcher: {House 1, Project}

Example 4: Data Export for All School 2 Rosters (Marked with PII Marking)

-   -   Organization: Schools     -   Checkpoint Type: Data Export     -   Matchers:         -   Location Matcher: {School 2, Namespace}         -   Marking Matcher: PII

Example 5: Data Export for All School 2 Rosters Except for Profs

-   -   Organization: Schools     -   Checkpoint Type: Data Export     -   Matchers:         -   Location Matcher: {School 2, Namespace}         -   Marking Matcher: PII         -   Exemption Matcher:             -   Group Matcher: Profs

In an implementation, the system may store checkpoint config objects keyed based on a hierarchy, such as organization, then type, then conditions/matchers, such as location. Such storage may be based on, or indexed according to, a tree structure. Such storage may enable rapid retrieval of relevant checkpoint config objects when the system receives a user request to perform an action. For example, when an analyst user requests to perform an action, and the system determines checkpoint config objects associated with the action, in an implementation the system may do so as follows: (1) determine which locations a valid checkpoint config could be set (e.g., resource, project, namespace, none); and (2) for each location unique identifier, perform the following steps: (a) retrieve set of configs keyed by <org, type, location id> from datastore; (b) categorize the configs into three sets: applicable, exempted, removed (Applicable: The user should see this config, Exempted: The user is exempt from this config, Removed: The config is not applicable for the checkpointed action/user); and (3) return applicable checkpoint configs.

FIG. 18 shows flowcharts illustrating example operations of an access management system, according to one or more embodiments. The blocks of the flowcharts illustrate example implementations, and in various other implementations various blocks may be rearranged, optional, and/or omitted, and/or additional block may be added. The example operations of the system illustrated in FIG. 18 may be implemented, for example, by the checkpoints service 1505 and checkpoints configuration service 1702, and/or various aspects of the computing environment 1500, the access management system 110, and/or the data management system 150, and such operations may follow authentication of a user (such as described with reference to FIG. 4). As mentioned above, in various implementations, an operating system, file management system, and/or other service (e.g., authentication service 311 and/or aspects of the data management system 150) can manage authentication and authorizations/permissions/privileges of a user.

Referring to FIG. 18, at block 1802, the system receives, from a user (which may include an admin user or an analyst user), a request to view checkpoint record objects. At block 1804, the system generates and displays an interactive user interface including checkpoint record objects based on properties and permissions associated with the user. FIGS. 19A and 19J illustrate examples of such interactive user interfaces. The interactive user interfaces may include details associated with the checkpoint record objects. The user may only be able to view checkpoint record objects and associated detailed information available within their organization, group, scope, and/or the like, and/or that they have permission to view.

At block 1806, the system receives, from an admin user, a request to view checkpoint configuration objects. At block 1808, the system generates and displays an interactive user interface including checkpoint configuration objects based on properties and permissions associated with the admin user. FIG. 19B illustrates an example of such an interactive user interface. The interactive user interface may include details associated with the checkpoint configuration objects. The admin user may only be able to view checkpoint configuration objects within their organization, group, scope, and/or the like, and/or checkpoint configuration objects they have permission to view.

At block 1810, the system receives, from an admin user, a checkpoint configuration (e.g., a request to create a checkpoint configuration, i.e., a checkpoint config object). The checkpoint configuration may include any of the properties described above. The configuration may be received via one or more interactive user interfaces. FIGS. 19C-191 illustrate examples of such interactive user interfaces for a workflow for creating a checkpoint configuration. The checkpoint confirmation user interfaces may advantageously provide information regarding conflicts or potential conflicts with other checkpoint configurations. At block 1812, the system generates/creates a checkpoint configuration object including the properties defined by the admin user, including checkpoint configuration information (such as the checkpoint type, optionally one or more conditions, and/or the like), checkpoint frequency criteria, and/or the like.

FIGS. 19A-19J illustrate example interactive graphical user interfaces related to accessing and configuring purpose-based checkpoints, according to one or more embodiments. The examples user interfaces are provided for illustrative purposes to show various functionalities of the system. In other implementations, the interactive graphical user interfaces may include more or fewer elements, may be arranged differently, and/or may be combined or divided. As mentioned above, the various example interactive graphical user interfaces may be generated/provided by any combination of the front-end asset for service S 1502, the checkpoints component library 1508, the checkpoints service 1505, the access service 313 of the access management system 110, and/or other services or modules of the system. FIGS. 19A-19J illustrate example interactive graphical user interfaces related to an admin user, among others, according to one or more embodiments.

Referring to FIG. 19A, the example interactive user interface includes a sortable and filterable list of checkpoint records (each corresponding to a checkpoint record object). Each of the checkpoint records includes various properties that are shown in different columns. The user may select a particular record and may view details associated with that record in the right sidebar 1904 of the user interface. The example user interface of FIG. 19A may be that of an admin user, and accordingly the admin user may view checkpoint record object of various users for which they have permissions. However, because the admin user is subject to the same access controls/permissioning of the system as other users, if information included in the records is outside of the admin user's scope/permissions, certain records may not be displayed and/or details associated with the records may be redacted (as indicated for certain of the example records, such as record 1902, in the user interface of FIG. 19A). Accordingly, the admin user may advantageously be able to see that various checkpoints were activated, even if the admin user does not have access to the particular details of the checkpoints (such as, for example, the particular users or resources that were checkpointed). As described above, the system keeps track of all information associated with the checkpoints in the checkpoint record objects (e.g., via unique identifiers to related checkpoint config objects, checkpointed resources, and/or the like). Accordingly, and advantageously, while a particular admin user at one time may not have access to particular resources (and thus the information related to the those resources is redacted by the system), if at a later time the particular admin user does obtain access to the particular resource the user interface can be updated to display the information associated with the previously-redacted resources (e.g., by the system referencing the resource information via the related unique identifiers).

Referring to FIG. 19J, the example interactive user interface includes sortable and filterable list of checkpoint records (each corresponding to a checkpoint record object) similar to that of FIG. 19A, but for an analyst user (“user_a”). Accordingly, the analyst user may only view checkpoint record objects associated with their own actions. Similar to the user interface of FIG. 19A above, in the user interface of FIG. 19J the user may select a particular record (e.g., record 1952) and may view details associated with that record in the right sidebar 1956 of the user interface. Because the analyst user is subject to the controls/permissioning of the system, if information included in the records is outside of the analyst user's scope/permissions, certain records may not be displayed and/or details associated with the records may be redacted (as indicated for certain of the example records, such as record 1954). Accordingly, the analyst user may advantageously be able to see that various checkpoints were activated, even if the analyst user does not have access to the particular details of the checkpoints (such as, for example, the particular resources that were checkpointed). As described above, the system keeps track of all information associated with the checkpoints in the checkpoint record objects (e.g., via unique identifiers to related checkpoint config objects, checkpointed resources, and/or the like). Accordingly, and advantageously, while a particular analyst user at one time may not have access to particular resources (and thus the information related to the those resources is redacted by the system), if at a later time the particular analyst user does obtain access to the particular resource the user interface can be updated to display the information associated with the previously-redacted resources (e.g., by the system referencing the resource information via the related unique identifiers).

Referring to FIG. 19B, the example interactive user interface includes a sortable and filterable list of checkpoint configurations (also referred to herein as “checkpoint configs”, and each corresponding to a checkpoint config object). Each of the checkpoint configs includes various properties and checkpoint configuration information that are shown in different columns. For example, checkpoint types for the various checkpoint configs are shown (e.g., “compass export”, “compass import”, etc.). Additionally, conditions associated with the checkpoint configs are shown, such as matchers 1914 and exemption matchers 1916.

In the example user interface of FIG. 19B, the admin user may select a particular config and may view details associated with that config. Additionally, the admin user may select to view a sample of the checkpoint via user interface button 1912, in response to which the system displays a sample popup dialog of the checkpoint. Because the admin user is subject to the same access controls/permissioning of the system as other users, if information included in the checkpoint configs is outside of the admin user's scope/permissions, certain configs may not be displayed and/or details associated with the configs may be redacted. The user may select a button 1918 to create a new checkpoint config, in response to which the system may display interactive user interfaces similar to those of FIGS. 19C-191.

In the user interface of FIG. 19C, the admin user may configure the checkpoint configuration information. For example, the user may specify the relevant organization via a dropdown 1920, a type of the checkpoint (e.g., the action that may activate the checkpoint) via dropdown 1922, and one or more conditions (which correspond to the “matchers” of various types described above) via user interface controls 1924. The one or more conditions may include matchers or exemptions, and may be linked together using Boolean operators such as “AND” and “OR”. The conditions may be based on resources, users or groups, markings, and/or the like. In the case of a matcher, the condition must be satisfied for the checkpoint to activate for the associated action. For example, if a particular resource, user, or marking is specified, when a user takes the associated action, the checkpoint will only activate if the action also matches the specified resource, user, or marking. Similarly, in the case of an exemption, the checkpoint will not activate if the condition is satisfied. For example, if a particular resource, user, or marking is specified as an exemption, when a user takes the associated action, the checkpoint will not activate if the action also matches the specified resource, user, or marking. In the user interface of FIG. 19C, the admin user may also review any conflicts 1926 associated with the checkpoint as configured. For example, the system may compare the checkpoint config with other checkpoint configs in the system, and may determine that two or more checkpoint configs may activate for same action, user, resource, marking, location, and/or the like. In response, the system may generate and display a notice 1926 indicating to the user that checkpoint config may conflict with another checkpoint config. If there are no conflicts, then the system may display a notice that there are no conflicts.

In the user interface of FIG. 19D, the admin user may configure the checkpoint title, description, and prompt. In the user interfaces of FIGS. 19E-19G, the admin user may configure the justification type, including, e.g., acknowledgement, dropdown, or response. The acknowledgement type may include asking the user to check a box acknowledging that they have reviewed the justification associated with the checkpoint that may be configured by the admin user. The dropdown type may include asking the user to select one of multiple justification options that may be configured by the admin user. The dropdown type may also optionally include a field for a free test response from the user. The response type may include asking the user to provide a written response to the justification configured by the admin user. The free text response may optionally be validated by a regular expression configured by the admin user (e.g., to ensure that the user's response includes information that satisfies some requirement).

In the user interface of FIG. 19H, the admin user may optionally configure a checkpoint frequency (also referred to herein as “checkpoint frequency criteria”). For example, the user may specify a frequency with which any given analyst user should see the checkpoint. By default, the checkpoint frequency may be set to zero. When set to zero, the checkpoint will show every time any given analyst user takes an action that meets the various checkpoint configuration information. When set higher than zero, the checkpoint will show only if it has not been shown to any given analyst user within the last period of time specified by the checkpoint frequency (e.g., within the last number of minutes, hours, days, weeks, months, and/or the like). In various implementations, rather than a period of time, the admin user may specify a particular number of times that the action is invoked by a given analyst user.

In the user interface of FIG. 19I, the admin user may configure the checkpoint name and description (which may be displayed to the admin user in the list of checkpoint configs). In response to the admin user selecting “create checkpoint configuration”, the system generates a checkpoint config object with the properties and checkpoint configuration information, and optionally the frequency criteria, provided by the admin user. In an implementation, the admin user may also specify acceptable purposes associated with a checkpoint config using similar interactive user interfaces.

In various implementations, the system can provide one or more of the following example functionalities/advantages: (1) checkpoints may not leak organization information in a multi-tenant computing stack; (2) checkpoints may provide control over both user actions and actions on resources; (3) checkpoints may support confirmation and review at the organization and project level (and thus the system can support “org” admin users whose permissions are scoped for an organization and its associated projects/resources, and “project” admin users whose permissions are scoped for a project and its associated resources); (4) checkpoint scopes (e.g., configurations) can explain why a given user sees a checkpoint, e.g., resource-scoped checkpoints can be shown for all users who can see the resource, and user-scoped checkpoints can be shown for all primary members of an organization; (5) for a given checkpoint, the redaction level can explain which parts of the checkpoint record the reviewing user can see, e.g., resource-redaction can remove sensitive information about the resource that the sensitive action was taken on, and user-redaction can remove sensitive information about the user who took the sensitive action; (6) for a given resource-scoped checkpoint, the specificity can indicate which resources are checkpointed and what the checkpoint says; (7) project-admins can specify if resourced-scoped checkpoints should only apply to certain resources (either the entire project or selected resources in the project); (8) configuring the checkpoints may not reveal sensitive data about users or resources; (9) project-admins may only configure the language of the checkpoints if org-admins who can discover the project (and hence review these checkpoints) can see all organizations, e.g., this constraint can prevent a project admin from changing the text to leak multi-tenant information to an org admin that cannot see the org markings on the project; (10) the user may see checkpoints from their organization or organizations that the user can discover that has a resource checkpoint on a resource on which the user is taking a sensitive action; (11) org-admins may view checkpoints of all scopes; (12) project-admins may only view resource-scoped checkpoints; and/or (13) org-admins and project-admins may see redacted checkpoints if they cannot discover resources/users on the platform.

Regarding scopes that may be applied to checkpoints, as mentioned above, the scope of a checkpoint can explain why a user sees a checkpoint. As noted above, checkpoint scopes can be accomplished via various configurations, e.g., matchers, locations, various rules, and/or other configurations. Further, various types of scopes may be applied together.

Resource-scoped checkpoints may be shown for all resources with an organization marking. Checkpoints with resource scope can be served because the organization admin user wants to protect resources from sensitive actions. Both organization admin users and project admin users can configure checkpoints with this scope. Further, both organization admin users and project admin users can view checkpoints with this scope. The system may communicate to the organization admin users that resource-scoped checkpoint prompts can be shown to users from other organizations. User-scoped checkpoints can be shown for all primary members of an organization. Checkpoints with user scope can be served because the organization admin user wants to ensure users do not perform sensitive actions. In various implementations, only organization admin users may configure checkpoints with this scope, and only organization admin users may view checkpoints with this scope. In various implementations, user-Scoped checkpoints may not apply for guest members of an organization.

Advantageously, the purpose-based checkpoint functionality and/or the purpose-based access controls of the system may provide one or more of the following: (1) Configurability—Organizations may specify both what they consider a sensitive action to be (the actions for which they wanted users to provide a justification) and how they want users to provide their justifications (confirming data governance policies, providing a written justification, selecting an approved workstream, and/or the like); (2) Generalized Architecture—The system can both sit above all of the services and data that users regularly interact with and be agnostic to the technical implementation of these “sensitive actions”, the system can provide efficient application programming interfaces that can be hit to retrieve configuration prompts, save user justifications, and retrieve the saved user justifications, and the system can be deployed in a high availability configuration, and includes an object model so that it is legible and extensible; (3) Intuitive User Experience—The system can provide clear information regarding what action the user took and how the user has justified her action, this can allow data protection and compliance users to make the best decisions about data protection in the platform and give them ways to filter and drill down in the case of specific questions; (4) Access to User Interface for Analyzing Justifications—Justifications can show up in a specific user interface for only select data governance users to review (as specified by the organization), this can be enforced with specific access control and permissions schemes; (5) Balancing New Risks to Employee Privacy—Providing data protection and governance users with a richer understanding of user actions can pose new challenges to employee and workplace privacy, but data minimization and access controls can help reduce this new risk; and/or (6) All-Encompassing Access in the Platform—In order for governance and oversight users to do their jobs, they can be provided with knowledge of what is happening on the platform for granular investigations, access control schemes in the platform may impede data protection and compliance users from making sense of platform users' “sensitive actions,” thus, a central question becomes whether data oversight users should have wide-ranging access throughout the platform by default due to the nature of their jobs to review and audit sensitive actions, the system can provide flexibility and granular permissioning because the answer varies across organizations and industries.

XI. Additional Example Implementations and Functionality of Purpose-Based Checkpoints on User Actions

FIG. 20 shows a block diagram including another example computing environment 2000 for controlling user actions using checkpoints, according to one or more embodiments. The computing environment 2000 is an alternative implementation to that described above in reference to FIG. 15A, including some of the same components, and includes the front-end asset for service S 1502, the checkpoints service 1505, the example service S 1506, the checkpoints component library 1508, and a download controls library 2002. The computing environment 2000 can comprise a portion of, be implemented in, or be the same as, the computing environment 111 and/or the computing environment 1500 described above, and can include some or all of the components, features, and characteristics of the computing environment 111 and/or the computing environment 1500, according to various implementations. For example, one or more of the front-end asset for service S 1502, checkpoints service 1505, example service S 1506, checkpoints component library 1508, or download controls library 2002 may be implemented in one or more of the access management system 110, the data management system 150, or a user device such as the computer system 301, among other components of the computing environment 111 and/or the computing environment computing environment 1500. In an implementation, the front-end asset for service S 1502, checkpoints component library 1508, and the download controls library 2002 are implemented in computer system 301 (and/or transmitted to computer system 301 by access management system 110 and/or the data management system 150 to be executed, for example, in a web browser on computer system 301), example service S 1506 is implemented in the data management system 150, and the checkpoints service 1505 is implemented in the access management system 110. In various embodiments, the front-end asset for service S 1502 and example service S 1506 together comprise a data interaction service 315 that may provide various users with interactive user interfaces for interacting with data assets, e.g., data assets associated with a purpose/“project”. In various implementations, the “checkpoint” systems and methods of the present disclosure may be used with interactive user interfaces and applications for interacting with data assets even without an associated purpose/“project”.

The implementation shown in computing environment 2000, including the download controls library 2002, can be particularly useful for certain types of user actions that may not include actions taken by example service S 1506. For example, if the user action comprises export or printing of a PDF that is being viewed by the user via front-end asset for service S 1502, the example service S 1506 may not be involved in that action as is may be a purely front-end action to perform such a download or printing operation. (The discussion of the present implementation may be similarly applied to other types of actions, but for conciseness the description is given in reference to the example actions of downloading or printing.) Thus, the example service S 1506 sometimes may not be the appropriate component to confirm that the user taking the action has satisfied a checkpoint config. Accordingly, the system can include the download controls library 2002 that may provide a check that the applicable checkpoint config has been satisfied by the user before the action proceeds.

Referring to FIG. 20, example numbered interactions among the components shown in computing environment 2000 will now be described. The following interactions are an example implementation, and other implementations are contemplated. Interactions 1/1′ and 2/2′ generally follow the same process as described above in reference to FIG. 15A. Interaction 3, which may also generally follow the same process as described above in reference to FIG. 15A, may optionally occur if some initial communication with the example service S 1506 is needed for the action the user is performing. However, in many cases interaction 3 is not necessary. However, before proceeding to perform the action, at interaction 4/4′ the download controls library 2002 communicates with the checkpoints service 1505 to confirm that the user has satisfied the criteria associated with the checkpoint. The communication may optionally include the unique identifier associated with the checkpoint record object that was returned in interaction 2/2′. The checkpoints service 1505 uses the unique identifier to verify that a legitimate checkpoint was created, and that the applicable criteria are satisfied. If the unique identifier corresponding to the checkpoint is empty, the download controls library 2002 verifies to see that this action was not configured to require a checkpoint. The download controls library 2002 may request the user's auth header and the (optional) unique identifier corresponding to the checkpoint. In response, the checkpoints service 1505 may indicate whether the action can proceed, based on whether the checkpoint had really been created and the criteria satisfied, or if the checkpoint was not actually required. If the checkpoint is satisfied, then download controls library 2002 proceeds with performing the requested action, or allowing the requested action to be performed (e.g., downloading or printing a PDF).

Advantageously, the implementation described in reference to computing environment 2000 can enable checkpointing of even actions that happen on the front-end, e.g., by downloading data that was already loaded onto the front-end on a client/user device. In this implementation, the system may include a checkpoint type for such front-end type actions, or the system may automatically determine if an action is a front-end action and may apply the checkpointing as described above. Other features and functionality of the system, including the user experience, checkpoint confirmation, and the like, can function analogously to what is described above in reference to FIGS. 15A-15B, 16A-16D, 17A-17C, 18, and 19A-19J.

FIG. 21 shows a block diagram including another example computing environment 2100 for controlling user actions using checkpoints, according to one or more embodiments. The computing environment 2100 is an alternative implementation to that described above in reference to FIG. 15A, including some of the same components, and includes the front-end asset for service S 1502, the checkpoints service 1505, the example service S 1506, a front-end asset for checkpoints 2102, and a multipass 2104. The computing environment 2100 can comprise a portion of, be implemented in, or be the same as, the computing environment 111, the computing environment 1500, and/or other computing environments described above, and can include some or all of the components, features, and characteristics of the computing environment 111, the computing environment 1500, and/or other computing environments described herein, according to various implementations. For example, one or more of the front-end asset for service S 1502, checkpoints service 1505, example service S 1506, front-end asset for checkpoints 2102, or multipass 2104 may be implemented in one or more of the access management system 110, the data management system 150, or a user device such as the computer system 301, among other components of the computing environment 111, the computing environment 1500, and/or other computing environments described herein. In an implementation, the front-end asset for service S 1502 and the front-end asset for checkpoints 2102 are implemented in computer system 301 (and/or transmitted to computer system 301 by access management system 110 and/or the data management system 150 to be executed, for example, in a web browser on computer system 301), example service S 1506 is implemented in the data management system 150, and the checkpoints service 1505 and the multipass 2104 are implemented in the access management system 110. In various embodiments, the front-end asset for service S 1502 and example service S 1506 together comprise a data interaction service 315 that may provide various users with interactive user interfaces for interacting with data assets, e.g., data assets associated with a purpose/“project”. In various implementations, the “checkpoint” systems and methods of the present disclosure may be used with interactive user interfaces and applications for interacting with data assets even without an associated purpose/“project”.

The implementation shown in computing environment 2100, including the front-end asset for checkpoints 2102 and multipass 2104, can be particularly useful for certain types of user actions, including elevation of a user's privileges or permissions. Elevation of permissions, including temporary elevation of permissions to perform various tasks, may be an allowed action for particular user. However, it may be advantageous to checkpoint such an elevation of permission action for the same various reasons as it is advantageous to checkpoint various other user actions as described herein. In various implementations, elevation of permission may include an additional step to be performed by a user: performing a “challenge” (e.g., providing some credential or password). The system of the present disclosure can advantageously include such a step even with the addition of the checkpointing processes. In some cases, a user may attempt to perform an action, and may be notified by the system that they cannot perform that action without elevating their permissions. The user may then proceed to elevate their permissions. The presently described system may provide for checkpointing of the action being taken by the user, and/or checkpointing of the elevation of permissions action. In some implementations, the two checkpoints may be integrated or combined into a single combined checkpoint and/or dialog to simplify the user's interaction. Additionally, if a “challenge” must be satisfied by the user to elevate permissions, the “challenge may similarly be integrated or combined into a checkpoint and/or dialog to simplify the user's interaction.

Referring to the computing environment 2100 of FIG. 21, the front-end asset for checkpoints 2102 may be similar to the checkpoints component library 1508 described above, in that it may provide a front-end library or asset for providing dialogs or interactions with the user to implement the checkpoint functionality described herein. Multipass 2104 may comprise a system or service for managing permissions levels of users. As such, multipass 2104 may, for example, determine a user's permissions (including with respect to an action being taken, a resource, and/or the like), determine permissions elevation is available, confirm permissions elevation, confirm any “challenges” are satisfied by the user, and/or the like. The checkpoints components of the system may function in conjunction with the example service S 1506, the front-end asset for service S 1502, and multipass 2104 to provide checkpointing functionality for permissions change type actions, including elevation of permissions.

Referring again to FIG. 21, example numbered interactions among the components shown in computing environment 2100 will now be described. The following interactions are an example implementation, and other implementations are contemplated. At interaction 1/1′, when a user interacting with the front-end asset for service S 1502 attempts to take some action in Service S, the front-end asset for service S 1502 communicates with example service S 1506, and example service S 1506 determines (optionally by interaction with multipass 2104 and/or another permissions service of the system) that a permissions elevation is required to take the action. Accordingly, the example service S 1506 returns an error with that information (that a permissions elevation is required).

At interaction 2/2′, the example service S 1506 parses the error and generates a challenge context for elevation permissions, initializing the permissions elevation process. Multipass 2104 responds with an intermediate view, which can include a “challenge,” that can be displayed to the user. At interaction 3, assuming the permissions of the user are to be elevated (as determined by multipass 2104 and/or other permissions services or processes of the system, and which may include satisfying the “challenge”), the request is redirected to the checkpoints app, in this case the front-end asset for checkpoints 2102. At interaction 4/4′, the system determines whether any checkpoint config is associated with the elevation of permissions request (e.g., that the checkpoint configuration information is satisfied, that the frequency criteria is satisfied, and/or the like). If so, the redirect brings up, via the front-end asset for checkpoints 2102 and the checkpoints service 1505, a checkpoints dialog, and receives a response from the user. This interaction is analogous to the interaction 2/2′ described above in reference to the computing environment 1500. At interaction 5, the user's input to the checkpoint has been received by the checkpoints service 1505, the checkpoint criteria are satisfied, and a checkpoint record object is created (as described above), and at interaction 5′ the system redirects back to the front-end asset for service S 1502 with an indication that the checkpoint has been satisfied. At interaction 6, multipass 2104 is notified that the checkpoint has been satisfied that the user's permissions can be elevated. Optionally, or alternatively (e.g., if the user was not challenged in interaction 2/2′), at interaction 7/7′ that user may be challenged again. Assuming the user has both satisfied the challenge, and satisfied the checkpoint, at interaction 8 the front-end asset for service S 1502 again attempts to take some action in Service S, and example service S 1506 then responds by proceeding with the action (e.g., because Service S can determine that the user's permissions have been elevated sufficient to take that action).

Advantageously, the implementation described in reference to computing environment 2100 can enable checkpointing of even elevation of permissions of a user that is attempting to take an action. In this implementation, the system may include a checkpoint type for such permissions elevations, or the system may automatically determine if an action is a permissions elevation and may apply the checkpointing as described above. Other features and functionality of the system, including the user experience, checkpoint confirmation, and the like, can function analogously to what is described above in reference to FIGS. 15A-15B, 16A-16D, 17A-17C, 18, and 19A-19J.

FIG. 22 shows a block diagram including another example computing environment 2200 for controlling user actions using checkpoints, according to one or more embodiments. The computing environment 2200 is an alternative implementation to that described above in reference to FIGS. 15A and 21, including some of the same components, and includes the checkpoints service 1505, multipass 2104, a multipass login page 2202, and a checkpoints login view 2204. The computing environment 2200 can comprise a portion of, be implemented in, or be the same as, the computing environment 111, the computing environment 1500, and/or other computing environments described above, and can include some or all of the components, features, and characteristics of the computing environment 111, the computing environment 1500, and/or other computing environments described herein, according to various implementations. For example, one or more of the checkpoints service 1505, multipass 2104, the multipass login page 2202, or the checkpoints login view 2204 may be implemented in one or more of the access management system 110, the data management system 150, or a user device such as the computer system 301, among other components of the computing environment 111, the computing environment 1500, and/or other computing environments described herein. In an implementation, the multipass login page 2202 and the checkpoints login view 2204 are implemented in computer system 301 (and/or transmitted to computer system 301 by access management system 110 and/or the data management system 150 to be executed, for example, in a web browser on computer system 301), and the checkpoints service 1505 and the multipass 2104 are implemented in the access management system 110. In various embodiments, the multipass 2104 and multipass login page 2202 together comprise an authentication service 311 or an access service 313 that may provide various functionality and user interfaces for allowing a user to login (including authentication of the user's credentials) to a system to gain access to software applications (such as data interaction services 315), data assets (e.g., data assets associated with a purpose/“project”), and/or the like, which may be associated with a purpose/“project”. In various implementations, the “checkpoint” systems and methods of the present disclosure may be used with login functionality even without an associated purpose/“project”.

The implementation shown in computing environment 2200, including the various illustrated components of the system, can be particularly useful for certain types of user actions, including logging in to a system. A login checkpoint can ask users for justifications when they are logging into any system. The architecture behind login checkpoints may deviate from the other checkpoints implementations described above because the login checkpoint can be displayed as part of a login flow before the user has completed full authentication with the system. Since the user is not yet logged into the system and, for example, using an application or accessing resources, no “example service S” is involved in the process. Accordingly, the implementation includes the multipass login page 2202 and checkpoints login view 2204, each supported on the backend by multipass 2104 and checkpoints service 1505 to provides a checkpointed login flow. As with the various checkpoints described above, the login checkpoint can also be configured from the checkpoint configuration workflow, and login checkpoints can include acknowledgement, free-text response, and dropdown justification types. Advantageously, login checkpoints can show different configurations per-tenant because the checkpoint config objects are stored in an org-aware way, and the checkpoints login is typically used after multipass login page 2202 and multipass 2104 have triaged a user to their organization based on attribute information from the user's and/or an organization's system. Login checkpoints can also support an additional step to be performed by a user, e.g., performing a “challenge” to satisfy a second factor authentication. In various implementations, completion of a login checkpoint may be considered a further step to being able to login to a system.

Referring to the computing environment 2200 of FIG. 22, the checkpoints login view 2204 may be similar to the checkpoints component library 1508 described above, in that it may provide a front-end library or asset for providing dialogs or interactions with the user to implement the checkpoint functionality described herein. Multipass login page 2202 may comprise a library, asset, or page for a user to input their login credentials to be used for authentication of the user via multipass 2104. As such, multipass 2104 may, for example, determine a user's credentials are correct, and may thereby authenticate the user. The checkpoints components of the system may function together to provide checkpointing functionality for login type actions.

Referring again to FIG. 22, example numbered interactions among the components shown in computing environment 2200 will now be described. The following interactions are an example implementation, and other implementations are contemplated. At interaction 1/1′, when a user interacting with the multipass login page 2202 attempts to login to the system by providing their login credentials (e.g., a username and password), the multipass login page 2202 communicates with multipass 2104, and multipass 2104 determines that the user's credentials are correct. Accordingly, the user has succeeded with a first factor authentication. At interaction 2, the system kicks off a challenge process of the login flow that checkpoints may hook into, optionally in addition to any other second factor authentication that the user may need to satisfy. Accordingly, the user interface redirects, in interactions 2 and 3, to the checkpoints service 1505. Via the checkpoints service 1505, the system determines whether any checkpoint config is associated with the user's login request (e.g., that the checkpoint configuration information is satisfied, that the frequency criteria is satisfied, and/or the like). As noted above, the login request may be associated with an organization, and thus some login requests may be associated with a checkpoint config object, while others may not (because the checkpoint config objects can be organization-specific). Assuming a checkpoint config is associated with the login, at interaction 4, a checkpoint dialog is displayed to the user. Checkpoints login view 2204 may comprise a checkpoint dialog or window which may request an input from the user in response to a checkpoint request in accordance with a checkpoint config object.

At interactions 5/5′, the system receives a response from the user via the checkpoint dialog. This interaction is analogous to the interaction 2/2′ described above in reference to the computing environment 1500. Thus, at interaction 5, the user's input to the checkpoint has been received by the checkpoints service 1505, the checkpoint criteria are satisfied, and a checkpoint record object is created (as described above), and at interaction 5′ the system redirects back to the multipass login page 2202 with an indication that the checkpoint has been satisfied. At interaction 6, multipass 2104 is notified that the checkpoint has been satisfied that the user's login can proceed. At interaction 7, the user has completed the steps required to login, and the system proceeds with the authenticated user. Optionally, or alternatively, the user may also, at any interaction of the process described above, be challenged for a second factor authentication to complete the authentication process.

In various implementations, the checkpoints may be useful in presenting EULAs to users. Such may be the case, for example, when users login to the system. Thus, a login checkpoint may comprise presentation of a EULA, and the user's response may comprise acceptance of the EULA. Frequency criteria associated with checkpoint configs may be particularly advantageous in such cases, as it may be undesirable to present a EULA to the user every time they login. Accordingly, the frequency criteria may be set such that the user only sees the EULA-related checkpoint every week, or every month, for example.

Advantageously, the implementation described in reference to computing environment 2200 can enable checkpointing of even login and authentication actions by a user. In this implementation, the system may include a checkpoint type for such logins, or the system may automatically determine if an action is a login action and may apply the checkpointing as described above. Other features and functionality of the system, including the user experience, checkpoint confirmation, and the like, can function analogously to what is described above in reference to FIGS. 15A-15B, 16A-16D, 17A-17C, 18, and 19A-19J.

As noted above, checkpoints can be configured to be organization-specific (however, in some implementations they may be configured without specifying an organization). This feature allows for multi-tenant (e.g., multi-organization) checkpoints, where one tenant on a multi-tenant system might require a certain checkpoint language for a certain type of action, but that checkpoint language does not impact users in other tenants on the system. In various implementations, this can mean that each checkpoint config object can be uniquely identified by the following three keys: (1) Organization, (2) Checkpoint Type, and (3) Checkpoint Config Matchers (resource matchers, principal matchers, and/or marking matchers). Customers that manage several tenants on a system may find this set up difficult if they need to keep all of the configurations across their organizations in sync. Thus, advantageously, in some implementations the checkpoints system described herein can be adapted to operate at a higher-level of abstraction, the enrollment, that encompasses all organizations for a given customer. In these implementations, a checkpoint config can be keyed by: (1) Enrollment (which can cover multiple organizations), (2) Checkpoint Type, and (3) Checkpoint Config Matchers. The system may then automatically expand these checkpoint config object into objects keyed to each organization within the given enrollment.

XII. Additional Implementation Details and Embodiments

In an implementation the system (e.g., one or more aspects of the access management system 110, the data management system 150, other aspects of the computing environment 111, and/or the like) may comprise, or be implemented in, a “virtual computing environment”. As used herein, the term “virtual computing environment” should be construed broadly to include, for example, computer readable program instructions executed by one or more processors (e.g., as described in the example of FIG. 8) to implement one or more aspects of the modules and/or functionality described herein. Further, in this implementation, one or more services/modules/engines/etc. of the system may be understood as comprising one or more rules engines of the virtual computing environment that, in response to inputs received by the virtual computing environment, execute rules and/or other program instructions to modify operation of the virtual computing environment. For example, a request received from the user computing device 301 may be understood as modifying operation of the virtual computing environment to cause the request access to a resource from the system. Such functionality may comprise a modification of the operation of the virtual computing environment in response to inputs and according to various rules. Other functionality implemented by the virtual computing environment (as described throughout this disclosure) may further comprise modifications of the operation of the virtual computing environment, for example, the operation of the virtual computing environment may change depending on the information gathered by the system. Initial operation of the virtual computing environment may be understood as an establishment of the virtual computing environment. In some implementations the virtual computing environment may comprise one or more virtual machines, containers, and/or other types of emulations of computing systems or environments. In some implementations the virtual computing environment may comprise a hosted computing environment that includes a collection of physical computing resources that may be remotely accessible and may be rapidly provisioned as needed (commonly referred to as “cloud” computing environment).

Implementing one or more aspects of the system as a virtual computing environment may advantageously enable executing different aspects or modules of the system on different computing devices or processors, which may increase the scalability of the system. Implementing one or more aspects of the system as a virtual computing environment may further advantageously enable sandboxing various aspects, data, or services/modules of the system from one another, which may increase security of the system by preventing, e.g., malicious intrusion into the system from spreading. Implementing one or more aspects of the system as a virtual computing environment may further advantageously enable parallel execution of various aspects or modules of the system, which may increase the scalability of the system. Implementing one or more aspects of the system as a virtual computing environment may further advantageously enable rapid provisioning (or de-provisioning) of computing resources to the system, which may increase scalability of the system by, e.g., expanding computing resources available to the system or duplicating operation of the system on multiple computing resources. For example, the system may be used by thousands, hundreds of thousands, or even millions of users simultaneously, and many megabytes, gigabytes, or terabytes (or more) of data may be transferred or processed by the system, and scalability of the system may enable such operation in an efficient and/or uninterrupted manner.

Various embodiments of the present disclosure may be a system, a method, and/or a computer program product at any possible technical detail level of integration. The computer program product may include a computer readable storage medium (or mediums) having computer readable program instructions thereon for causing a processor to carry out aspects of the present disclosure.

For example, the functionality described herein may be performed as software instructions are executed by, and/or in response to software instructions being executed by, one or more hardware processors and/or any other suitable computing devices. The software instructions and/or other executable code may be read from a computer readable storage medium (or mediums). Computer readable storage mediums may also be referred to herein as computer readable storage or computer readable storage devices.

The computer readable storage medium can be a tangible device that can retain and store data and/or instructions for use by an instruction execution device. The computer readable storage medium may be, for example, but is not limited to, an electronic storage device (including any volatile and/or non-volatile electronic storage devices), a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. A non-exhaustive list of more specific examples of the computer readable storage medium includes the following: a portable computer diskette, a hard disk, a solid state drive, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), a static random access memory (SRAM), a portable compact disc read-only memory (CD-ROM), a digital versatile disk (DVD), a memory stick, a floppy disk, a mechanically encoded device such as punch-cards or raised structures in a groove having instructions recorded thereon, and any suitable combination of the foregoing. A computer readable storage medium, as used herein, is not to be construed as being transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission media (e.g., light pulses passing through a fiber-optic cable), or electrical signals transmitted through a wire.

Computer readable program instructions described herein can be downloaded to respective computing/processing devices from a computer readable storage medium or to an external computer or external storage device via a network, for example, the Internet, a local area network, a wide area network and/or a wireless network. The network may comprise copper transmission cables, optical transmission fibers, wireless transmission, routers, firewalls, switches, gateway computers, and/or edge servers. A network adapter card or network interface in each computing/processing device receives computer readable program instructions from the network and forwards the computer readable program instructions for storage in a computer readable storage medium within the respective computing/processing device.

Computer readable program instructions (as also referred to herein as, for example, “code,” “instructions,” “module,” “application,” “software application,” and/or the like) for carrying out operations of the present disclosure may be assembler instructions, instruction-set-architecture (ISA) instructions, machine instructions, machine dependent instructions, microcode, firmware instructions, state-setting data, configuration data for integrated circuitry, or either source code or object code written in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, C++, or the like, and procedural programming languages, such as the “C” programming language or similar programming languages. Computer readable program instructions may be callable from other instructions or from itself, and/or may be invoked in response to detected events or interrupts. Computer readable program instructions configured for execution on computing devices may be provided on a computer readable storage medium, and/or as a digital download (and may be originally stored in a compressed or installable format that requires installation, decompression or decryption prior to execution) that may then be stored on a computer readable storage medium. Such computer readable program instructions may be stored, partially or fully, on a memory device (e.g., a computer readable storage medium) of the executing computing device, for execution by the computing device. The computer readable program instructions may execute entirely on a user's computer (e.g., the executing computing device), partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider). In some embodiments, electronic circuitry including, for example, programmable logic circuitry, field-programmable gate arrays (FPGA), or programmable logic arrays (PLA) may execute the computer readable program instructions by utilizing state information of the computer readable program instructions to personalize the electronic circuitry, in order to perform aspects of the present disclosure.

Aspects of the present disclosure are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the disclosure. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer readable program instructions.

These computer readable program instructions may be provided to a processor of a general-purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer readable program instructions may also be stored in a computer readable storage medium that can direct a computer, a programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer readable storage medium having instructions stored therein comprises an article of manufacture including instructions which implement aspects of the function/act specified in the flowchart(s) and/or block diagram(s) block or blocks.

The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other device to cause a series of operational steps to be performed on the computer, other programmable apparatus or other device to produce a computer-implemented process, such that the instructions which execute on the computer, other programmable apparatus, or other device implement the functions/acts specified in the flowchart and/or block diagram block or blocks. For example, the instructions may initially be carried on a magnetic disk or solid-state drive of a remote computer. The remote computer may load the instructions and/or modules into its dynamic memory and send the instructions over a telephone, cable, or optical line using a modem. A modem local to a server computing system may receive the data on the telephone/cable/optical line and use a converter device including the appropriate circuitry to place the data on a bus. The bus may carry the data to a memory, from which a processor may retrieve and execute the instructions. The instructions received by the memory may optionally be stored on a storage device (e.g., a solid-state drive) either before or after execution by the computer processor.

The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a service, module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the blocks may occur out of the order noted in the Figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. In addition, certain blocks may be omitted or optional in some implementations. The methods and processes described herein are also not limited to any particular sequence, and the blocks or states relating thereto can be performed in other sequences that are appropriate.

It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts or carry out combinations of special purpose hardware and computer instructions. For example, any of the processes, methods, algorithms, elements, blocks, applications, or other functionality (or portions of functionality) described in the preceding sections may be embodied in, and/or fully or partially automated via, electronic hardware such application-specific processors (e.g., application-specific integrated circuits (ASICs)), programmable processors (e.g., field programmable gate arrays (FPGAs)), application-specific circuitry, and/or the like (any of which may also combine custom hard-wired logic, logic circuits, ASICs, FPGAs, and/or the like with custom programming/execution of software instructions to accomplish the techniques).

Any of the above-mentioned processors, and/or devices incorporating any of the above-mentioned processors, may be referred to herein as, for example, “computers,” “computer devices,” “computing devices,” “hardware computing devices,” “hardware processors,” “processing units,” and/or the like. Computing devices of the above embodiments may generally (but not necessarily) be controlled and/or coordinated by operating system software, such as Mac OS, iOS, Android, Chrome OS, Windows OS (e.g., Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10, Windows 11, Windows Server, and/or the like), Windows CE, Unix, Linux, SunOS, Solaris, Blackberry OS, VxWorks, or other suitable operating systems. In other embodiments, the computing devices may be controlled by a proprietary operating system. Conventional operating systems control and schedule computer processes for execution, perform memory management, provide file system, networking, I/O services, and provide a user interface functionality, such as a graphical user interface (“GUI”), among other things.

For example, FIG. 8 shows a block diagram that illustrates a computer system 800 upon which various implementations and/or aspects (e.g., one or more aspects of the access management system 110, the data management system 150, other aspects of the computing environment 111, and/or the like) may be implemented. Computer system 800 includes a bus 802 or other communication mechanism for communicating information, and a hardware processor, or multiple processors, 804 coupled with bus 802 for processing information. Hardware processor(s) 804 may be, for example, one or more general purpose microprocessors.

Computer system 800 also includes a main memory 806, such as a random-access memory (RAM), cache and/or other dynamic storage devices, coupled to bus 802 for storing information and instructions to be executed by processor 804. Main memory 806 also may be used for storing temporary variables or other intermediate information during execution of instructions to be executed by processor 804. Such instructions, when stored in storage media accessible to processor 804, render computer system 800 into a special-purpose machine that is customized to perform the operations specified in the instructions.

Computer system 800 further includes a read only memory (ROM) 808 or other static storage device coupled to bus 802 for storing static information and instructions for processor 804. A storage device 810, such as a magnetic disk, optical disk, or USB thumb drive (Flash drive), and/or the like, is provided and coupled to bus 802 for storing information and instructions.

Computer system 800 may be coupled via bus 802 to a display 812, such as a cathode ray tube (CRT) or LCD display (or touch screen), for displaying information to a computer user. An input device 814, including alphanumeric and other keys, is coupled to bus 802 for communicating information and command selections to processor 804. Another type of user input device is cursor control 816, such as a mouse, a trackball, or cursor direction keys for communicating direction information and command selections to processor 804 and for controlling cursor movement on display 812. This input device typically has two degrees of freedom in two axes, a first axis (e.g., x) and a second axis (e.g., y), that allows the device to specify positions in a plane. In some embodiments, the same direction information and command selections as cursor control may be implemented via receiving touches on a touch screen without a cursor.

Computing system 800 may include a user interface module to implement a GUI that may be stored in a mass storage device as computer executable program instructions that are executed by the computing device(s). Computer system 800 may further, as described below, implement the techniques described herein using customized hard-wired logic, one or more ASICs or FPGAs, firmware and/or program logic which in combination with the computer system causes or programs computer system 800 to be a special-purpose machine. According to one embodiment, the techniques herein are performed by computer system 800 in response to processor(s) 804 executing one or more sequences of one or more computer readable program instructions contained in main memory 806. Such instructions may be read into main memory 806 from another storage medium, such as storage device 810. Execution of the sequences of instructions contained in main memory 806 causes processor(s) 804 to perform the process steps described herein. In alternative embodiments, hard-wired circuitry may be used in place of or in combination with software instructions.

Various forms of computer readable storage media may be involved in carrying one or more sequences of one or more computer readable program instructions to processor 804 for execution. For example, the instructions may initially be carried on a magnetic disk or solid-state drive of a remote computer. The remote computer can load the instructions into its dynamic memory and send the instructions over a telephone line using a modem. A modem local to computer system 800 can receive the data on the telephone line and use an infra-red transmitter to convert the data to an infra-red signal. An infra-red detector can receive the data carried in the infra-red signal and appropriate circuitry can place the data on bus 802. Bus 802 carries the data to main memory 806, from which processor 804 retrieves and executes the instructions. The instructions received by main memory 806 may optionally be stored on storage device 810 either before or after execution by processor 804.

Computer system 800 also includes a communication interface 818 coupled to bus 802. Communication interface 818 provides a two-way data communication coupling to a network link 820 that is connected to a local network 822. For example, communication interface 818 may be an integrated services digital network (ISDN) card, cable modem, satellite modem, or a modem to provide a data communication connection to a corresponding type of telephone line. As another example, communication interface 818 may be a local area network (LAN) card to provide a data communication connection to a compatible LAN (or WAN component to communicated with a WAN). Wireless links may also be implemented. In any such implementation, communication interface 818 sends and receives electrical, electromagnetic or optical signals that carry digital data streams representing various types of information.

Network link 820 typically provides data communication through one or more networks to other data devices. For example, network link 820 may provide a connection through local network 822 to a host computer 824 or to data equipment operated by an Internet Service Provider (ISP) 826. ISP 826 in turn provides data communication services through the worldwide packet data communication network now commonly referred to as the “Internet” 828. Local network 822 and Internet 828 both use electrical, electromagnetic or optical signals that carry digital data streams. The signals through the various networks and the signals on network link 820 and through communication interface 818, which carry the digital data to and from computer system 800, are example forms of transmission media.

Computer system 800 can send messages and receive data, including program code, through the network(s), network link 820 and communication interface 818. In the Internet example, a server 830 might transmit a requested code for an application program through Internet 828, ISP 826, local network 822 and communication interface 818.

The received code may be executed by processor 804 as it is received, and/or stored in storage device 810, or other non-volatile storage for later execution.

As described above, in various embodiments certain functionality may be accessible by a user through a web-based viewer (such as a web browser), or other suitable software program). In such implementations, the user interface may be generated by a server computing system and transmitted to a web browser of the user (e.g., running on the user's computing system). Alternatively, data (e.g., user interface data) necessary for generating the user interface may be provided by the server computing system to the browser, where the user interface may be generated (e.g., the user interface data may be executed by a browser accessing a web service and may be configured to render the user interfaces based on the user interface data). The user may then interact with the user interface through the web-browser. User interfaces of certain implementations may be accessible through one or more dedicated software applications. In certain embodiments, one or more of the computing devices and/or systems of the disclosure may include mobile computing devices, and user interfaces may be accessible through such mobile computing devices (for example, smartphones and/or tablets).

Many variations and modifications may be made to the above-described embodiments, the elements of which are to be understood as being among other acceptable examples. All such modifications and variations are intended to be included herein within the scope of this disclosure. The foregoing description details certain embodiments. It will be appreciated, however, that no matter how detailed the foregoing appears in text, the systems and methods can be practiced in many ways. As is also stated above, it should be noted that the use of particular terminology when describing certain features or aspects of the systems and methods should not be taken to imply that the terminology is being re-defined herein to be restricted to including any specific characteristics of the features or aspects of the systems and methods with which that terminology is associated.

Conditional language, such as, among others, “can,” “could,” “might,” or “may,” unless specifically stated otherwise, or otherwise understood within the context as used, is generally intended to convey that certain embodiments include, while other embodiments do not include, certain features, elements, and/or steps. Thus, such conditional language is not generally intended to imply that features, elements and/or steps are in any way required for one or more embodiments or that one or more embodiments necessarily include logic for deciding, with or without user input or prompting, whether these features, elements and/or steps are included or are to be performed in any particular embodiment.

The term “substantially” when used in conjunction with the term “real-time” forms a phrase that will be readily understood by a person of ordinary skill in the art. For example, it is readily understood that such language will include speeds in which no or little delay or waiting is discernible, or where such delay is sufficiently short so as not to be disruptive, irritating, or otherwise vexing to a user.

Conjunctive language such as the phrase “at least one of X, Y, and Z,” or “at least one of X, Y, or Z,” unless specifically stated otherwise, is to be understood with the context as used in general to convey that an item, term, and/or the like may be either X, Y, or Z, or a combination thereof. For example, the term “or” is used in its inclusive sense (and not in its exclusive sense) so that when used, for example, to connect a list of elements, the term “or” means one, some, or all of the elements in the list. Thus, such conjunctive language is not generally intended to imply that certain embodiments require at least one of X, at least one of Y, and at least one of Z to each be present.

The term “a” as used herein should be given an inclusive rather than exclusive interpretation. For example, unless specifically noted, the term “a” should not be understood to mean “exactly one” or “one and only one”; instead, the term “a” means “one or more” or “at least one,” whether used in the claims or elsewhere in the specification and regardless of uses of quantifiers such as “at least one,” “one or more,” or “a plurality” elsewhere in the claims or specification.

The term “comprising” as used herein should be given an inclusive rather than exclusive interpretation. For example, a general-purpose computer comprising one or more processors should not be interpreted as excluding other computer components, and may possibly include such components as memory, input/output devices, and/or network interfaces, among others.

While the above detailed description has shown, described, and pointed out novel features as applied to various embodiments, it may be understood that various omissions, substitutions, and changes in the form and details of the devices or processes illustrated may be made without departing from the spirit of the disclosure. As may be recognized, certain embodiments of the inventions described herein may be embodied within a form that does not provide all of the features and benefits set forth herein, as some features may be used or practiced separately from others. The scope of certain inventions disclosed herein is indicated by the appended claims rather than by the foregoing description. All changes which come within the meaning and range of equivalency of the claims are to be embraced within their scope.

XIII. Example Clauses

Examples of the implementations of the present disclosure can be described in view of the following example clauses. The features recited in the below example implementations can be combined with additional features disclosed herein. Furthermore, additional inventive combinations of features are disclosed herein, which are not specifically recited in the below example implementations, and which do not include the same features as the specific implementations below. For sake of brevity, the below example implementations do not identify every inventive aspect of this disclosure. The below example implementations are not intended to identify key features or essential features of any subject matter described herein. Any of the example clauses below, or any features of the example clauses, can be combined with any one or more other example clauses, or features of the example clauses or other features of the present disclosure.

Clause 1: A computer-implemented method for providing purpose-based checkpoints on user actions, the computer-implemented method comprising, by one or more hardware processors executing program instructions: receiving, from a user, a request to perform an action; determining any checkpoint config objects associated with the action; causing display of a checkpoint dialog based on a checkpoint config object; determining whether criteria associated with the checkpoint config object are satisfied; and in response to determining that the criteria associated with the checkpoint config object are satisfied: generating a checkpoint record object; and proceeding to perform the action.

Clause 2: The computer-implemented method of Clause 1, wherein said causing display of the checkpoint dialog comprises: providing instructions to a user device to display the checkpoint dialog.

Clause 3: The computer-implemented method of Clause 2, wherein the instructions comprise at least one of: a title, a description, or a prompt.

Clause 4: The computer-implemented method of any of Clauses 1-3 further comprising, by the one or more hardware processors executing program instructions: receiving a user input via the checkpoint dialog, wherein said determining whether criteria associated with the checkpoint config object are satisfied is based on the user input.

Clause 5: The computer-implemented method of Clause 4, wherein the user input comprises at least one of: an acknowledgement, a selection from a dropdown, or a written response.

Clause 6: The computer-implemented method of any of Clauses 1-4, wherein the checkpoint dialog comprises at least one of: a request for an acknowledgement, a request for a selection from a dropdown, or a request for a written response.

Clause 7: The computer-implemented method of any of Clauses 1-6 further comprising, by the one or more hardware processors executing program instructions: in response to determining that the criteria associated with the checkpoint config object are not satisfied: denying the request to perform the action.

Clause 8: The computer-implemented method of any of Clauses 1-7, wherein said generating the checkpoint record object comprises: enriching the checkpoint record object with information associated with the action.

Clause 9: The computer-implemented method of Clause 8, wherein said enriching the checkpoint record object with information associated with the action comprises: receiving information from a service associated with the action.

Clause 10: The computer-implemented method of Clause 1, wherein the checkpoint config object comprises at least one of: a checkpoint type, or one or more conditions.

Clause 11: The computer-implemented method of any of Clauses 1-10, wherein said determining any checkpoint config objects associated with the action comprises: determining whether a checkpoint type, or one or more conditions, associated with the checkpoint config object is satisfied.

Clause 12: A computer-implemented method for configuring purpose-based checkpoints on user actions, the computer-implemented method comprising, by one or more hardware processors executing program instructions: receiving, from a first user, a checkpoint configuration comprising at least: a specification of an organization; a specification of a checkpoint type; a specification of a checkpoint prompt; and a specification of a justification type, wherein the justification type comprises at least one of: an acknowledgement, a selection from a dropdown, or an input of a written response; generating a checkpoint configuration object including the checkpoint configuration; and in response to a request to perform an action, determining applicability of the checkpoint configuration object to the action based on the checkpoint configuration.

Clause 13: The computer-implemented method of Clause 13 wherein the checkpoint configuration further comprises: one or more conditions, wherein the conditions comprise rules for activating the checkpoint configuration.

Clause 14: The computer-implemented method of Clause 13 further comprising, by the one or more hardware processors executing program instructions: receiving, from the first user, a request to view checkpoint configuration objects; and displaying checkpoint configuration objects based on properties and permissions associated with the user, wherein the checkpoint configuration objects include the checkpoint configuration object.

Clause 15: The computer-implemented method of any of Clauses 12-14 further comprising, by the one or more hardware processors executing program instructions: receiving, from the first user, a request to view checkpoint record objects; and determining and displaying checkpoint record objects based on properties and permissions associated with the first user.

Clause 16: The computer-implemented method of Clause 16 further comprising, by the one or more hardware processors executing program instructions: determining and displaying one or more properties associated with the checkpoint record objects.

Clause 17: The computer-implemented method of Clause 17, wherein said determining one or more properties associated with the checkpoint record objects comprises: determining one or more properties associated with one or more of the checkpoint record objects that the first user does not have permission to view; and redacting the determined one or more properties from display.

Clause 18: A system comprising: a computer readable storage medium having program instructions embodied therewith; and one or more processors configured to execute the program instructions to cause the system to perform the computer-implemented method of any of Clauses 1-17.

Clause 19: A computer program product comprising a computer-readable storage medium having program instructions embodied therewith, the program instructions executable by one or more processors to cause the one or more processors to perform the computer-implemented method of any of Clauses 1-17.

Clause 20: A computer-implemented method for providing purpose-based checkpoints on user actions, the computer-implemented method comprising, by one or more hardware processors executing program instructions: receiving, from a user, a request to perform an action; determining a checkpoint config object associated with the action; determining whether frequency criteria associated with the checkpoint config object are satisfied; and in response to determining that the frequency criteria associated with the checkpoint config object are satisfied: causing display of a checkpoint dialog based on a checkpoint config object.

Clause 21: The computer-implemented method of Clause 20 further comprising, by the one or more hardware processors executing program instructions: receiving a user input via the checkpoint dialog; determining whether criteria associated with the checkpoint config object are satisfied based on the user input; and in response to determining that the criteria associated with the checkpoint config object are satisfied: generating a checkpoint record object; and proceeding to perform the action.

Clause 22: The computer-implemented method of Clause 21, wherein the user input comprises at least one of: an acknowledgement, a selection from a dropdown, or a written response.

Clause 23: The computer-implemented method of Clause 21 further comprising, by the one or more hardware processors executing program instructions: in response to determining that the criteria associated with the checkpoint config object are not satisfied: denying the request to perform the action.

Clause 24: The computer-implemented method of any of Clauses 20-23, wherein the checkpoint dialog comprises at least one of: a request for an acknowledgement, a request for a selection from a dropdown, or a request for a written response.

Clause 25: The computer-implemented method of any of Clauses 20-24 further comprising, by the one or more hardware processors executing program instructions: in response to determining that the frequency criteria associated with the checkpoint config object are not satisfied: not causing display of the checkpoint dialog based on the checkpoint config object.

Clause 26: The computer-implemented method of Clause 20, wherein the checkpoint dialog comprises an end user license agreement.

Clause 27: The computer-implemented method of any of Clauses 20-26, wherein said causing display of the checkpoint dialog comprises: providing instructions to a user device to display the checkpoint dialog.

Clause 28: The computer-implemented method of Clause 27, wherein the instructions comprise at least one of: a title, a description, or a prompt.

Clause 29: The computer-implemented method of Clause 20, wherein the checkpoint config object comprises at least one of: a checkpoint type, one or more conditions, or the frequency criteria.

Clause 30: The computer-implemented method of any of Clauses 20-29, wherein said determining the checkpoint config object associated with the action comprises: determining whether a checkpoint type, or one or more conditions, associated with the checkpoint config object are satisfied.

Clause 31: A computer-implemented method for configuring purpose-based checkpoints on user actions, the computer-implemented method comprising, by one or more hardware processors executing program instructions: receiving, from a first user, a checkpoint configuration comprising at least: a specification of a checkpoint type; a specification of frequency criteria; a specification of a checkpoint prompt; and a specification of a justification type, wherein the justification type comprises at least one of: an acknowledgement, a selection from a dropdown, or an input of a written response; generating a checkpoint configuration object including the checkpoint configuration; and in response to a request to perform an action, determining applicability of the checkpoint configuration object to the action based on the checkpoint configuration.

Clause 32: The computer-implemented method of Clause 31 wherein the checkpoint configuration further comprises: one or more conditions, wherein the conditions comprise rules for activating the checkpoint configuration.

Clause 33: The computer-implemented method of any of Clauses 31-32 further comprising, by the one or more hardware processors executing program instructions: in response receiving at least a part of the checkpoint configuration: determining any conflicts between the checkpoint configuration and other checkpoint configurations; and displaying, to the first user, a notice of any conflicts, or a notice of no conflicts.

Clause 34: The computer-implemented method of any of Clauses 31-33, wherein the checkpoint configuration further comprises: a specification of an enrollment, wherein the enrollment is associated with a plurality of organizations.

Clause 35: The computer-implemented method of Clause 34 further comprising, by the one or more hardware processors executing program instructions: generating a plurality of checkpoint config objects, each comprising the checkpoint configuration, but each specifying different ones of the plurality of organizations.

Clause 36: A computer-implemented method for providing purpose-based checkpoints on user actions, the computer-implemented method comprising, by one or more hardware processors executing program instructions: receiving, from a first user, a request to perform an action; determining any checkpoint config objects associated with the action; causing display of a checkpoint dialog based on a checkpoint config object; receiving a user input via the checkpoint dialog; determining whether criteria associated with the checkpoint config object are satisfied based on the user input; and in response to determining that the criteria associated with the checkpoint config object are satisfied: generating a checkpoint record object including a status of pending approval; and generating a notification to a second user requesting approval for the first user to perform the action.

Clause 37: The computer-implemented method of Clause 36 further comprising, by the one or more hardware processors executing program instructions: receiving an input from the second user approving the request; updating the checkpoint record object including a status of approved; and proceeding to perform the action.

Clause 38: The computer-implemented method of Clause 36 further comprising, by the one or more hardware processors executing program instructions: receiving an input from the second user rejecting the request; updating the checkpoint record object including a status of rejected; and denying the request to perform the action.

Clause 39: The computer-implemented method of any of Clauses 36-38, wherein the user input comprises at least one of: an acknowledgement, a selection from a dropdown, or a written response.

Clause 40: The computer-implemented method of any of Clauses 36-39 further comprising, by the one or more hardware processors executing program instructions: in response to determining that the criteria associated with the checkpoint config object are not satisfied: denying the request to perform the action.

Clause 41: The computer-implemented method of any of Clauses 36-40, wherein the checkpoint dialog comprises at least one of: a request for an acknowledgement, a request for a selection from a dropdown, or a request for a written response.

Clause 42: The computer-implemented method of any of Clauses 36-41, wherein said causing display of the checkpoint dialog comprises: providing instructions to a user device to display the checkpoint dialog.

Clause 43: The computer-implemented method of Clause 42, wherein the instructions comprise at least one of: a title, a description, or a prompt.

Clause 44: The computer-implemented method of Clause 36, wherein the checkpoint config object comprises at least one of: a checkpoint type, or one or more conditions.

Clause 45: The computer-implemented method of any of Clauses 36-44, wherein said determining any checkpoint config objects associated with the action comprises: determining whether a checkpoint type, or one or more conditions, associated with the checkpoint config object are satisfied.

Clause 46: A computer-implemented method for providing purpose-based checkpoints on user actions, the computer-implemented method comprising, by one or more hardware processors executing program instructions: receiving, from a user, a request to perform an action; requesting a check for a checkpoint associated with the action; receiving information usable for display of a checkpoint dialog; displaying the checkpoint dialog; receiving a user input via the checkpoint dialog; requesting a determination whether the user input is satisfactory; and in response to receiving an approval, allowing the action to proceed.

Clause 47: The computer-implemented method of Clause 46, wherein the requesting is directed to a checkpoints service.

Clause 48: The computer-implemented method of Clause 47 further comprising, by the one or more hardware processors executing program instructions: by a checkpoints service: in response to the requesting the check: determining any checkpoint config objects associated with the action; providing information for display of the checkpoint dialog based on a checkpoint config object; and in response to the requesting the determination; determining whether criteria associated with the checkpoint config object are satisfied based on the user input; and in response to determining that the criteria associated with the checkpoint config object are satisfied: providing the approval.

Clause 49: The computer-implemented method of Clause 48 further comprising, by the one or more hardware processors executing program instructions: in response to receiving a denial, not allowing the action to proceed.

Clause 50: The computer-implemented method of Clause 49 further comprising, by the one or more hardware processors executing program instructions: by the checkpoints service: in response to determining that the criteria associated with the checkpoint config object are not satisfied: providing the denial.

Clause 51: A computer-implemented method for providing purpose-based checkpoints on user actions, the computer-implemented method comprising, by one or more hardware processors executing program instructions: receiving, from a user, a request to perform an action; determining a need for permissions elevation for the user to perform the action; determining any checkpoint config objects associated with the permissions elevation; causing display of a checkpoint dialog based on a checkpoint config object; determining whether criteria associated with the checkpoint config object are satisfied; and in response to determining that the criteria associated with the checkpoint config object are satisfied: generating a checkpoint record object; and causing the permissions of the user to be elevated.

Clause 52: The computer-implemented method of Clause 51 further comprising, by the one or more hardware processors executing program instructions: further in response to determining that the criteria associated with the checkpoint config object are satisfied: proceeding to perform the action.

Clause 53: The computer-implemented method of Clause 51, wherein said causing display of the checkpoint dialog comprises: providing instructions to a user device to display the checkpoint dialog.

Clause 54: The computer-implemented method of Clause 53, wherein the instructions comprise at least one of: a title, a description, or a prompt.

Clause 55: The computer-implemented method of any of Clauses 51-54 further comprising, by the one or more hardware processors executing program instructions: receiving a user input via the checkpoint dialog, wherein said determining whether criteria associated with the checkpoint config object are satisfied is based on the user input.

Clause 56: The computer-implemented method of Clause 55, wherein the user input comprises at least one of: an acknowledgement, a selection from a dropdown, or a written response.

Clause 57: The computer-implemented method of any of Clauses 51-56, wherein the checkpoint dialog comprises at least one of: a request for an acknowledgement, a request for a selection from a dropdown, or a request for a written response.

Clause 58: The computer-implemented method of any of Clauses 51-57 further comprising, by the one or more hardware processors executing program instructions: in response to determining that the criteria associated with the checkpoint config object are not satisfied: not causing the permissions of the user to be elevated.

Clause 59: The computer-implemented method of Clause 51, wherein the checkpoint config object comprises at least one of: a checkpoint type, or one or more conditions.

Clause 60: The computer-implemented method of any of Clauses 51-59, wherein said determining any checkpoint config objects associated with the action comprises: determining whether a checkpoint type, or one or more conditions, associated with checkpoint config objects are satisfied.

Clause 61: A computer-implemented method for providing purpose-based checkpoints on user actions, the computer-implemented method comprising, by one or more hardware processors executing program instructions: receiving, from a user, a request to login, wherein the request includes credentials of the user; determining, based on the credentials, an authentication of the user; determining any checkpoint config objects associated with the request to login; causing display of a checkpoint dialog based on a checkpoint config object; determining whether criteria associated with the checkpoint config object are satisfied; and in response to determining that the criteria associated with the checkpoint config object are satisfied: generating a checkpoint record object; and allowing login of the authenticated user to proceed.

Clause 62: The computer-implemented method of Clause 61, wherein said causing display of the checkpoint dialog comprises: providing instructions to a user device to display the checkpoint dialog.

Clause 63: The computer-implemented method of Clause 62, wherein the instructions comprise at least one of: a title, a description, or a prompt.

Clause 64: The computer-implemented method of any of Clauses 61-63 further comprising, by the one or more hardware processors executing program instructions: receiving a user input via the checkpoint dialog, wherein said determining whether criteria associated with the checkpoint config object are satisfied is based on the user input.

Clause 65: The computer-implemented method of Clause 64, wherein the user input comprises at least one of: an acknowledgement, a selection from a dropdown, or a written response.

Clause 66: The computer-implemented method of any of Clauses 61-65, wherein the checkpoint dialog comprises at least one of: a request for an acknowledgement, a request for a selection from a dropdown, or a request for a written response.

Clause 67: The computer-implemented method of any of Clauses 61-66 further comprising, by the one or more hardware processors executing program instructions: in response to determining that the criteria associated with the checkpoint config object are not satisfied: not allowing login of the authenticated user to proceed.

Clause 68: The computer-implemented method of Clause 61, wherein the checkpoint config object comprises at least one of: a checkpoint type, or one or more conditions.

Clause 69: The computer-implemented method of any of Clauses 61-68, wherein said determining any checkpoint config objects associated with the action comprises: determining whether a checkpoint type, or one or more conditions, associated with checkpoint config objects are satisfied.

Clause 70: A system comprising: a computer readable storage medium having program instructions embodied therewith; and one or more processors configured to execute the program instructions to cause the system to perform the computer-implemented method of any of Clauses 20-69.

Clause 71: A computer program product comprising a computer-readable storage medium having program instructions embodied therewith, the program instructions executable by one or more processors to cause the one or more processors to perform the computer-implemented method of any of Clauses 20-69. 

What is claimed is:
 1. A computer-implemented method for providing purpose-based checkpoints on user actions, the computer-implemented method comprising, by one or more hardware processors executing program instructions: receiving, from a user, a request to perform an action; determining any checkpoint config objects associated with the action; causing display of a checkpoint dialog based on a checkpoint config object; determining whether criteria associated with the checkpoint config object are satisfied; and in response to determining that the criteria associated with the checkpoint config object are satisfied: generating a checkpoint record object; and proceeding to perform the action.
 2. The computer-implemented method of claim 1, wherein said causing display of the checkpoint dialog comprises: providing instructions to a user device to display the checkpoint dialog.
 3. The computer-implemented method of claim 2, wherein the instructions comprise at least one of: a title, a description, or a prompt.
 4. The computer-implemented method of claim 1 further comprising, by the one or more hardware processors executing program instructions: receiving a user input via the checkpoint dialog, wherein said determining whether criteria associated with the checkpoint config object are satisfied is based on the user input.
 5. The computer-implemented method of claim 4, wherein the user input comprises at least one of: an acknowledgement, a selection from a dropdown, or a written response.
 6. The computer-implemented method of claim 4, wherein the checkpoint dialog comprises at least one of: a request for an acknowledgement, a request for a selection from a dropdown, or a request for a written response.
 7. The computer-implemented method of claim 1 further comprising, by the one or more hardware processors executing program instructions: in response to determining that the criteria associated with the checkpoint config object are not satisfied: denying the request to perform the action.
 8. The computer-implemented method of claim 1, wherein said generating the checkpoint record object comprises: enriching the checkpoint record object with information associated with the action.
 9. The computer-implemented method of claim 8, wherein said enriching the checkpoint record object with information associated with the action comprises: receiving information from a service associated with the action.
 10. The computer-implemented method of claim 1, wherein the checkpoint config object comprises at least one of: a checkpoint type, or one or more conditions.
 11. The computer-implemented method of claim 1, wherein said determining any checkpoint config objects associated with the action comprises: determining whether a checkpoint type, or one or more conditions, associated with checkpoint config objects are satisfied.
 12. A system comprising: a computer readable storage medium having program instructions embodied therewith; and one or more processors configured to execute the program instructions to cause the system to perform the computer-implemented method of claim
 1. 13. A computer-implemented method for configuring purpose-based checkpoints on user actions, the computer-implemented method comprising, by one or more hardware processors executing program instructions: receiving, from a first user, a checkpoint configuration comprising at least: a specification of an organization; a specification of a checkpoint type; a specification of a checkpoint prompt; and a specification of a justification type, wherein the justification type comprises at least one of: an acknowledgement, a selection from a dropdown, or an input of a written response; generating a checkpoint configuration object including the checkpoint configuration; and in response to a request to perform an action, determining applicability of the checkpoint configuration object to the action based on the checkpoint configuration.
 14. The computer-implemented method of claim 13 wherein the checkpoint configuration further comprises: one or more conditions, wherein the conditions comprise rules for activating the checkpoint configuration.
 15. The computer-implemented method of claim 13 further comprising, by the one or more hardware processors executing program instructions: receiving, from the first user, a request to view checkpoint configuration objects; and displaying checkpoint configuration objects based on properties and permissions associated with the user, wherein the checkpoint configuration objects include the checkpoint configuration object.
 16. The computer-implemented method of claim 13 further comprising, by the one or more hardware processors executing program instructions: receiving, from the first user, a request to view checkpoint record objects; and determining and displaying checkpoint record objects based on properties and permissions associated with the first user.
 17. The computer-implemented method of claim 16 further comprising, by the one or more hardware processors executing program instructions: determining and displaying one or more properties associated with the checkpoint record objects.
 18. The computer-implemented method of claim 17, wherein said determining one or more properties associated with the checkpoint record objects comprises: determining one or more properties associated with one or more of the checkpoint record objects that the first user does not have permission to view; and redacting the determined one or more properties from display. 